statement
This article is to study the 360 global critical information infrastructure network security analysis report. The study notes are compiled and shared in the hope that more people will benefit. If there is any infringement, please contact us in time
Chapter 3 APT Attacks Against Critical Information Infrastructure
Critical information infrastructure has historically been the focus of APT attacks. From the actual situation in 2016, APT attacks targeting industrial systems (covering multiple infrastructure areas) and financial systems are the most common. Therefore, this chapter will take industrial systems and financial systems as examples to briefly introduce APT attacks on critical information infrastructure.
1. Destruction of industrial systems
From the monitoring and research of APT attack events around the world, the main purpose of most APT attacks is to steal confidential information, and APT attacks with significant destructiveness are rare. However, from the end of 2015 to 2016, there have been several destructive APT attacks that have attracted global attention. Among them, destructive attacks against industrial systems attract the most attention.
On December 23, 2015, that is, on the eve of Christmas, Ukraine suffered a large-scale power outage, and tens of thousands of "disaster victims" had to suffer in the severe cold; At night, Saudi Arabia was attacked by Shamoon2.0 again, and the computer systems of six important institutions including the Saudi National Civil Aviation Administration were severely damaged. It seems that at the end of every year, cyber attacks against industrial systems will strike quietly, making it impossible for the poor victims to "have a New Year's Eve with peace of mind".
(1) Christmas blackout in Ukraine
On December 23, 2015, which is Christmas Eve in 2015, the office computer and SCADA system (Supervisory Control And Data Acquisition system, that is, data acquisition and monitoring control system, generally used to refer to industrial control system) of a Ukrainian power company ) suffered illegal intrusion by a third party. The accident led to
Nearly half of households in Vano-Frankivsk region experience hours of power outage
broken. At first, the power company estimated that about 80,000 customers were affected by the disaster, but later found that a total of
Attacks on energy companies at three different distribution stations killed around 225,000 customers
Power outage.
Shortly after the attack, Ukrainian government officials claimed the power outage was caused by a cyberattack and blamed Russian state security for it. The U.S. government, along with many local private companies, assisted Ukrainian government investigators in analyzing the attack to determine the root cause of the failure.
On January 3, 2016, the security company ESET first disclosed the relevant malicious code in this incident, and published an article stating that the malicious code infected by the Ukrainian power sector was BlackEnergy. BlackEnergy is a backdoor program that attackers can use to remotely access and control power control systems; in addition, a malicious program KillDisk was detected in the equipment of several power distribution companies in Ukraine, its main function is to destroy system data and Delay the recovery process of the system. Furthermore, the researchers also found a backdoored SSH server program on other servers in the power system, allowing attackers to connect to the infected host at any time based on the built-in password.
In fact, it is not the first time that the malicious program BlackEnergy has attacked Ukraine and power control systems. Since it was first disclosed in 2007, BlackEnergy has gone through multiple variants and upgrades, and has conducted multiple rounds of "indiscriminate bombing" of the Ukrainian power system. Research data released by foreign security agencies also shows that in 2016, BlackEnergy continued to attack multiple industrial systems in Ukraine, and in December 2016, it caused a small-scale power outage in a Ukrainian power company again. . The table below gives a brief history of BlackEnergy's development.
| years | Event Summary |
|---|---|
| 2007 | Arbor has disclosed for the first time a tool used in DDoS attacks to create botnets, BlackEnergy, a version commonly referred to as "BlackEnergy 1." |
| 2008 | BlackEnergy was used to create a botnet during the Russian-Georgian conflict when unidentified hackers launched a DDoS attack on Georgian networks |
| 2009 | Hackers used BlackEnergy to steal tens of millions of dollars from Citibank |
| 2010 | Dell-owned SecureWorks has released a rootkit-equipped variant of BlackEnergy, commonly known as "BlackEnergy 2." |
| July 2011 | ESET virusradar research shows BlackEnergy peaking global activity |
| October 2013 | BlackEnergy supports 64-bit operating systems |
| September 2014 | F-Secure spotted a new variant of BlackEnergy tailored for the Ukrainian government, commonly known as "BlackEnergy 3" |
| October 2014 | It has been reported that the BlackEnergy development team, a suspected Sandworm organization, has attacked NATO, the governments of Ukraine and Poland, and important industrial systems in Europe |
| October 2014 | ICS-CERT Warns of High-Severity Vulnerabilities in ICS and SCADA and Discovers Attackers Using BlackEnergy 2 to Attack SCADA HMI (Human Machine Interface) Systems |
| November 2014 | Kaspersky said that BlackEnergy2 has been able to launch attacks on routers, Linux systems, Windows systems, and can attack Cisco Cisco equipment and ARM and MIPS platforms |
| November 2015 | BlackEnergy and KillDisk Infections Found in the Systems of a Ukrainian Mining Company and a Major Railway Company |
| November 2015 | CERT-UA links BlackEnergy and KillDisk for the first time. At the time of the 2015 Ukrainian election, several news media companies were attacked and many videos and documents were destroyed |
| December 2015 | Ukrainian power grid was attacked, triggering massive blackout, sparking concern |
| January 2016 | CERT-UA Notified that Kiev Boryspil Airport, Ukraine's Largest Airport, Was Attacked by BlackEnergy |
| January 2016 | Kaspersky researchers discover new BlackEnergy document-type attack against Ukraine, using Word to attack Ukrainian TV station STB |
| December 2016 | Ukraine's national electricity utility was suspected of being cyber-attacked, causing another large-scale power outage, which lasted about 30 minutes. The power outage was suspected to be caused by "external interference", and malicious attackers conducted illegal operations on the company's power system through the network. |
The History of BlackEnergy
The continuous attacks on the Ukrainian power system have attracted great attention from the security industry and governments around the world. In fact, the industrial control systems used by almost all power companies in the world are very similar, the operating systems are mostly Windows, and the underlying hardware is monopolized in the hands of a few large companies. Therefore, we expect similar It is very likely that the attack will be repeated in other countries and regions.
(2) Attack on Saudi Amnesty Night
According to media reports, on the evening of November 17, 2016, which is the night of amnesty (Lailat al Qadr) in Islam, at least six important Saudi institutions, including GACA (Saudi National Civil Aviation Administration), suffered serious cyber attacks. victim's electricity
A large number of files and data in the brain system were destroyed and replaced with a photo of Alan Kurdi, a Syrian refugee boy who drowned on September 2, 2015.
The researchers named the malicious program samples intercepted in the investigation of this attack operation as Shamoon2.0, and also named the attack operation as Shamoon2.0, because the researchers found that the intercepted attack samples were actually from 2012 A variant of the Shamoon program was discovered.
On August 15, 2012, the Shamoon malware appeared for the first time in a cyber attack on the Saudi oil giant Saudi Ameraco. When the attack was launched, when the company's employees were on vacation, files on more than 30,000 computers in the company were damaged. Afterwards, an organization claiming to be Cutting Sword of Justice announced that it was responsible for the incident, but according to the analysis of several security agencies at the time, the attack should be a hacker organization with a national background from Iran.
Therefore, although the media did not report in detail the specific information of more victims or the specific losses suffered by the victims when reporting the cyber attack that occurred in November 2016, refer to the 2012 From the Shamoon attack and the similarity between Shamoon2.0 and Shamoon, we can roughly guess that the main victim in this attack should be the Saudi industrial system or industrial sector, and the main loss of the victim is a large number of system files and system Data is maliciously deleted, rendering industrial systems unable to function properly.
Shamoon, also known as Disttrack, is a modular malware program that is highly destructive and capable of causing a complete breakdown of a targeted network. There have been two cyber attacks caused by Shamoon before (one of which is a suspected case), and the attack
The target is Saudi Arabia.
The module programs used by Shamoon are divided into three categories: Dropper, Communications and Wiper components. Shamoon not only collects data on the target, but is also very destructive
——That is, there is a timer inside the program. When the system time exceeds the set time, Shamoon will overwrite the disk (including MBR, partition table and partition) with useless data, such as specific JPEG pictures, resulting in damage to disk data And the paralysis of the system under attack.
In fact, both Shamoon in 2012 and Shamoon2.0 in 2016 used the JPEG method: the 2012 attack used a burning American flag, while the 2016 attack featured images from September 2015. Alan Kurdi, a Syrian refugee boy who drowned on March 2.
The malicious program writing methods of the two attacks are also very similar. The same RawDisk device driver is used (the temporary certificate key is the same). When the dropper releases the malicious program components, it will read the number of bytes from a specific location in the resource And use the Base64-encoded key to decrypt, perform XOR operation with the Byte string obtained from the resource, and obtain the complete program after splicing.
Shamoon itself will also try to access the active directory of the current system, other hosts in the same domain and LAN through the current permissions, and perform lateral movement. The most serious scenario that Shamoon's lateral movement can cause is a massive breakdown of the entire target network.
It is particularly worth mentioning that Shamoon2.0 is more malicious than Shamoon. In previous Shamoon attacks, malicious samples would first steal user data and upload it to the C&C server before performing file deletion or overwriting operations, which makes it possible for us to block the network or restrict IP access in theory. to stop Shamoon's sabotage. But the attacker of Shamoon2.0 is in the program
A completely unreachable C&C server address is filled in, and the timer time is encoded in the program as 8:45 pm on November 17, 2016. This makes Shamoon2.0 a "time bomb" that will almost certainly "explode" once it is successfully launched.
The figure below shows the basic attack principle of Shamoon. It can be seen that after the deliverer delivers successfully, the communication component is released and starts to communicate with the C&C server after execution. The communication process uses the HTTP protocol. However, there is a difference between Shamoon2.0 and the previous version. The previous Shamoon uploaded user data to the C&C server; but in Shamoon2.0, the address of the C&C server is filled in as an unreachable address: 1.1.1.1:8080 .
Domain or LAN lateral movement
dropper domain
from resources
freed
Communication Component Wipe Component
Receive CC command
upload data
release from resources
![
disk erase driver
user disk
Overall, Shamoon and Shamoon2.0 have strong similarities, not only in the target countries of the attacks, but also in the selected attack time points (during vacation), and the specific implementation techniques and attack principles are also very similar. Therefore, most researchers believe that the attacks of Shamoon and Shamoon2.0 should be the same hacker attack
organize.
2. Crimes targeting the financial system
In the first half of 2016, bank theft incidents represented by the Central Bank of Bangladesh occurred one after another, and victims lost tens of millions of dollars. Subsequently, in the second half of the year, a series of attacks on ATM machines, represented by the ATM cash-sputtering incident of Taiwan's First Bank, occurred one after another. And a domestic APT organization "Golden Eye", which pretends to be a legitimate software development company and aims at improper profit, has long been engaged in stealing sensitive financial transaction information, was also intercepted from the end of 2015 to the beginning of 2016. In these attacks, we can see that even in a financial system that is theoretically isolated and has a high level of protection, cyber attacks can still occur, and the damage is huge.
(1) Multinational bank theft incident
At the beginning of 2016, the media successively exposed news that the banking systems of Bangladesh, Ecuador, Vietnam, the Philippines and many other countries had been attacked by hackers. Although these attacks occurred at different times, they all have one thing in common, that is, the attackers all targeted the SWIFT interbank transfer system, and used certain "features" of this system to launch attacks and destroy evidence. The following table shows the occurrence time and loss of some attack events.
| attack time | attacked bank | plan to steal | actual loss |
|---|---|---|---|
| year 2013 | Sonali Bank | unknown | $250,000 |
| January 2015 | Bank of Ecuador (Banco del Austro) | unknown | $12 million |
| October 2015 | Suspected of a bank in the Philippines | unknown | unknown |
| December 2015 | Vietnam Pioneer Bank (Tien Phong Bank) | 1.2 million euros | none |
| February 2016 | Bangladesh Central Bank | $951 million | $81 million |
| unknown | Suspected of a bank in Hong Kong | unknown | unknown |
| unknown | Suspected of a bank in the Philippines, New Zealand and more than 10 other financial institutions | unknown | unknown |
The History of BlackEnergy
- Bangladesh Central Bank
On February 5, 2016, Bangladesh's central bank was hacked resulting in the theft of $81 million. The attacker obtained the operation authority of the SWIFT system of the Central Bank of Bangladesh through network attacks or other means, and then the attacker sent the Federal Reserve Bank of New York
(Federal Reserve Bank of New York) sent false SWIFT transfer instructions, while the Central Bank of Bangladesh had a correspondent account with the Federal Reserve Bank of New York. The Federal Reserve Bank of New York received a total of 35 transfer requests worth a total of $951 million.
Of those, 30 were rejected, while five more deals totaling $101 million were approved.
Among them, another 20 million US dollars were recovered because the spelling error was discovered by the intermediary bank,
Another $81 million was successfully transferred and stolen.
The malicious code used in this network attack captured by us has the function of tampering with SWIFT messages and deleting relevant data information to cover up traces of illegal transfers. Among them, the attacker bypasses relevant verification by modifying the data validity verification instructions of SWIFT's Alliance Access client software.
- Vietnam Pioneer Bank (Tien Phong Bank)
On December 8, 2015, Vietnam's Pioneer Bank was hacked in a manner similar to that of Bangladesh's central bank. The attackers ended up stealing approximately 1.2 million euros from Vanguard Bank Vietnam.
The 360 Chasing Sun team also captured a malicious program sample that attacked Pioneer Bank in Vietnam. The relevant malicious code has embedded the SWIFT CODE of 8 banks, and Vietnamese banks have agency accounts in these banks. The purpose of the Fake PDF Reader samples seen so far is not to attack these banks in the list, but to delete the transfer confirmation message between Vietnam Pioneer Bank and other banks (to tamper with the MT950 statement). In this way, the bank's monitoring system will not detect such improper transactions.
For a detailed analysis of the attack on Pioneer Bank in Vietnam, you can refer to the report previously released by the 360 Chasing Sun team: "SWIFT's Sorrow - A Preliminary Study on Hacker Attack Technology Against Pioneer Bank in Vietnam".
- Bank of Ecuador (Banco del Austro)
According to Reuters, on January 12, 2015, under the guidance of a message from the Ecuadorian banking system, Wells Forga Bank of America in San Francisco made a transfer to a bank account in Hong Kong. And within 10 consecutive days, at least 12 Ecuadorian bank funds were transferred through the SWIFT system, with a total amount of up to 12 million US dollars. The Ecuadorian bank has taken Wells Frago to New York court over the matter, arguing that Wells Forgo Bank of America should have flagged the transactions as suspicious. However, according to the lawsuit documents, both banks believe that the funds were stolen by anonymous hackers.
In addition, the people in charge of SWIFT did not know about the case until it was reported. SWIFT does verify the passwords in the messages sent by the system to ensure that the messages come from the terminal device of the bank user, the source said. But once the cyberthieves got hold of the passwords and credentials, SWIFT couldn't tell if the operator was actually the account holder. The hacker took advantage of this loophole, stole a bank employee's SWIFT certificate, and then stole a huge amount of money.
- Sonali Bank
According to Reuters, in 2013, Bangladesh's Sonali Bank also had a similar attack on the Bangladesh central bank. In the Sonali incident, the attackers stole a total of $250,000 in bank funds. In the Sonali bank heist, hackers installed a keylogger on a computer to steal passwords from other systems, and then used the SWIFT system to send bogus transfer requests, according to a senior official in the bank's IT operations department.
- Similarity Analysis of Attack Events
Through the analysis from Sonali Bank in 2013 to Bangladesh Bank in 2016
It is not difficult to see that there are many similarities among the related attacks on these four attacks on banks.
From the perspective of attack tactics or attack process, the attacker's attack process mainly consists of three links: obtaining SWIFT authority, using SWIFT to send transfer instructions, and finally clearing evidence to cover up the facts. Let's analyze them separately.
- Obtain the SWIFT authority of the target bank
The attacker first needs to gain access to the target bank's SWIFT system. Judging from related reports, in the attacks on Bank of Sonali and Bank of Ecuador, the attackers obtained relevant permissions through network hacking techniques. Especially in the Sonali Bank attack incident, it can be determined that the SWIFT-related login account and password were monitored and stolen by implanted malicious programs.
It can be seen that to obtain SWIFT operation authority, the attacker does not necessarily need to have physical contact with the internal system of the bank, and it can be done through network attacks. At present, there are no reports that clearly indicate how the SWIFT system permissions of the Bangladesh central bank were stolen, but researchers investigating the Bangladesh central bank incident said that hackers should use cyber attacks to obtain relevant login credentials. The case of Vietnam Pioneer Bank is slightly different. The banking system itself was not attacked. The problem lies with its third-party service provider (providing SWIFT services), but it is not clear whether the attacker obtained the relevant SWIFT operation authority through cyber attacks. Vietnam Pioneer Bank stated that it will change to directly connect to the SWIFT system in the future.
- Send transfer instructions to other banks (correspondent accounts)
After the attacker obtains SWIFT authority, the core purpose is to use SWIFT to send transfer instructions. We speculate that what the attacker sent should be the first type of message in the SWIFT MT message, such as MT103 (single customer remittance). With the exception of Sonali Bank, we found that the attackers sent
For example, Wells Forga Bank of the United States has an agency account for the Bank of Ecuador; UOB and other seven banks have an agency account for Vietnam Pioneer Bank; the Federal Reserve Bank of New York has an agency account for the Central Bank of Bangladesh. In layman's terms, it means that the money deposited in other banks by these target banks such as the Central Bank of Bangladesh was transferred away under false names.
3) Tampering with MT9XX messages to clear evidence
Since we have not yet captured malicious samples targeting Sonali and Bank of Ecuador, here we mainly analyze the tracking of attacks on Vanguard Bank of Vietnam and the Central Bank of Bangladesh.
First of all, the attackers hijacked MT9XX messages: the attack on Pioneer Bank in Vietnam hijacked MT950 statement, and the attack on Bangladesh Central Bank hijacked MT900 debit confirmation.
Secondly, in the two attacks, the attackers tampered with the relevant messages in order to delete the relevant transfer records and balance the accounts. The difference between the two attacks is: in the case of the Central Bank of Bangladesh, the relevant message was tampered with and then sent directly to the printer to print out; in the case of Pioneer Bank of Vietnam, the electronic version of the PDF file of MT950 was tampered with, and then the PDF The file is sent to the printer for printing. But no matter what, the ultimate goal of the attacker is to tamper with the report and delete some other data information, thereby erasing relevant evidence clues.
In addition, we also found that in the Vietnam Pioneer Bank incident and the Bangladesh Central Bank incident, the malicious code used by the attackers has a special security deletion function, which further proves the homology of the two attacks , they are not isolated, there is a certain connection between the two.
(2) ATM machine theft
Similar to the aforementioned attack method of using the SWIFT mechanism to carry out transnational bank theft
Compared with attacks on ATM machines, the risk is much greater. Because the attacker eventually has to show up at the ATM to withdraw cash. This also leaves more opportunities for the police to detect cases and arrest criminals.
- Taiwan First Bank (First Bank)
On July 12, 2016, the First Bank of Taiwan issued an announcement "Customer Rights and Interests Not Affected by Abnormal Theft of Bank One ATMs", stating that "ATM cash machines in some branches of the First Bank were abnormally stolen, and the crime process took about 5-10 days. Minutes, transactions concentrated on July 9
and July 10, a total of about NT$70 million was stolen, and a total of 34 ATMs in 20 branches were abnormal...may have been implanted with malware to drive the money-dispensing module to perform money-dispensing."
After liquidation and verification by the First Bank, a total of 41 ATMs in Taiwan were stolen, and the stolen amount was more than 83.27 million yuan. This is the first case of a bank in Taiwan being stolen by cross-border hackers. After investigation and pursuit by the Taiwan police, one Romanian and one Moldovan accomplice were arrested, and 60.5 million yuan of stolen money was recovered. Follow-up investigations also revealed that in this attack, the attacker updated the server with an attack patch and delivered malicious programs to the ATM. It can control the ATM machine to "spit money".
The ATMs attacked in this incident were all the same model (pro cash1500 model) from Wincor, and the service of this model has been completely suspended at present. It is understood that the products of Wincor (Wincor) involve the banking and retail industries, and provide cash self-service equipment and non-cash self-service terminals and their solutions. Representative hardware products include ATMs, deposit and withdrawal machines, Multimedia service terminals, passbook printers, etc., with business in more than 130 countries.
In the analysis of related attack events, we found that the attacker did not use the bank card or operate the ATM machine, that is, the attacker can achieve the purpose of the ATM machine automatically dispensing cash without physical contact with the ATM machine. This attack phenomenon has attracted our attention. In the past,
It is not uncommon to attack an ATM, but it is relatively rare to achieve an attack that makes an ATM dispense money without physical contact.
- Anunak organization (i.e. Carbanak)
However, before Taiwan's First Bank's ATM machine spit out money, other attack groups had carried out this kind of non-contact attack on ATM machines. One of the most famous APT organizations is Anunak (aka Carbanak).
The attacks organized by Anunak began in 2013. The criminal gang has launched attacks on 100 banks, electronic payment systems and other financial institutions in about 30 countries and regions around the world, and related attacks are still active. We also mentioned Anunak in the 2015 China Advanced Persistent Threat (APT) Research Report. By researching and analyzing the attack methods and intentions of this organization, we regard this organization as an APT organization targeting the financial industry.
The general process of the Anunak organization’s attack is: first, through highly targeted attack methods, hack into the computer or bank network of the employees of the financial institution; then, through the internal network, conduct video surveillance on the computer, so as to view and record the funds responsible for the transfer system The screen of the bank staff; finally, when the attacker knows all the details of the work of the relevant bank staff, they will imitate the behavior of the bank staff to carry out malicious operations and steal bank funds.
In addition, the group can also control the bank's ATM machines and order them to dispense cash at specified times. When it's time to pay, the organization will send someone to wait next to the ATM machine to take the cash that the machine "voluntarily" spits out.
By comparing Anunak's attack method with the money-spitting incident of Taiwan's First Bank, we found that there are many similarities between the two, as shown in the following table:
| first bank of taiwan | Anunak (aka Carbanak) | |
|---|---|---|
| behind the scenes organization | Attacker is from Russia | Attacker is from Russia |
| attack method | exploit malicious programs | exploit malicious programs |
| Implantation method | Attack patch update server | Hacking the bank's intranet to obtain ATM permissions |
| ATM brand | Wincor | Wincor |
| Dispensing method | Break through the withdrawal limit and spit money continuously | Break through the withdrawal limit and spit money continuously |
| Withdrawal method | Specified time, no physical contact required | Specified time, no physical contact required |
| attack scale | 40 ATMs | 52 ATMs |
| steal money | NT$80 million | 50 million rubles |
The comparison between Taiwan's First Bank's money-spit incident and Anunak's attack characteristics
- Postal Savings Bank of Thailand
In August 2016, the Government Savings Bank of Thailand discovered that from the 1st to the 8th of that month, cash was stolen from 21 ATMs across the country. The stolen ATMs were distributed in Bangkok, Phuket, Chumphon, Prachuap, Phetchaburi and Surat Thani. After learning of the incident, the Central Bank of Thailand (BoT) issued a security warning to commercial banks across the country and closed about 3,300 ATMs across the country.
Through the analysis of the information captured by the camera inside the ATM, the Thai police confirmed that the criminal gang in this incident belonged to foreigners. Subsequently, the Thai police arrested three criminal suspects. According to these criminal suspects, there were about 30 Eastern Europeans in their organization, most of whom had many years of working experience in the ATM machine field. Russian.
The gang's main method of attack: by inserting specially made ATM cards
(with an EMV chip), implanting the malicious program Ripper into the ATM machine. On the one hand, the malicious program will make the ATM machine spit out 4,000 baht each time, and on the other hand, it will disconnect the ATM machine from the bank network, so that the ATM machine will not be found when it spits out money.
According to investigations, the criminal organization usually mobilizes collectively in the middle of the night to cooperate with each other in crimes. Between August 1 and 8, the group removed approximately 12.29 million baht (approximately US$346,000) from ATMs across Thailand.
- Various attacks against ATM machines
由于 ATM 机通常是处于一个相对隔离的网络环境中,因此, 在对 ATM 机发动攻击时,如何植入恶意代码就成为了一个关键问题。目前已知的主要攻击手法有以下两类:
- 入侵银行内部网络,获得 ATM 机控制权限
- 通过光驱、USB 接口等直接对 ATM 机进行操作
另外,攻击 APT 机器的恶意程序也不一定只是让机器吐钞, 也有一些恶意程序会通过 ATM 机暗中收集银行卡持卡人的数据信息。
下表给出了部分专门攻击 ATM 机的恶意程序的攻击方式对比。
| 出现 时间 | 恶意程序 名称 | 植入需要 的媒介 | ATM 机 接口 | 攻击 目标 | 目的 | 物理 接触 |
|---|---|---|---|---|---|---|
| 2009 | Skimer | 特制的银行卡 | 读卡器 | 银行 持卡人 | 盗取现金、银 行卡数据 | 是 |
| 2013 | Ploutus | 手机 | USB | 银行 持卡人 | 盗取现金、银 行卡数据 | 是 |
| 2013 | Anunak Carbanak | 攻陷银行网络 | 银行 | 盗取现金 | 否 | |
| 2014 | Tyupkin Padpin | 可引导光盘 | 光驱 | 银行 | 盗取现金 | 是 |
| 2015 | Green Dispenser | 内部人员植入 | 银行 | 盗取现金 | 是 | |
| 2015 | SUCEFUL | 未知 | 持卡人 | 盗取现金、银 行卡数据 | 未知 | |
| 2016 | Ripper | 攻陷银行网络 | 银行 | 盗取现金 | 是 |
部分针对 ATM 机的恶意程序的攻击方式对比
(三)黄金眼行动事件
2015 年 12 月,360 安全服务团队基于日常的应急响应记录结合云端大数据,发现一系列针对金融机构的定向攻击事件,360 安全服务团队联合 360 追日团队对此事件展开了深入调查。
调查结果显示,攻击者是一个以合法软件开发企业为伪装的, 以不当盈利为目的的,长期从事敏感金融交易信息窃取活动的境 内 APT 组织。其攻击水平和反侦察能力均达到了国家级水平,甚至超出了很多境外的 APT 组织。该组织的活动时间至少长达 12 年以上,遭到该组织长期攻击的金融机构涉及多家。
In view of the fact that this organization is an APT organization that specifically launches attacks on the financial system, we named this organization and its attack operations "Golden Eye", and the organization and operation number is APT-C-19.
The investigation shows that the GoldenEye operation can be traced back to 2004, and related attacks
The activity showed two peaks in 2012 and 2014 respectively, and the attacks in 2014
The intensity far exceeds that of 2012. Its main targets are various types of domestic financial institutions such as funds, securities, insurance, wealth management and asset management, as well as some individual shareholders.
Operation GoldenEye used a suite of malicious codes to infiltrate and control targeted systems, and to launch attacks across all Windows platforms. Relevant attack tools have undergone long-term continuous version upgrades and functional evolution. Operation GoldenEye also has extremely strong anti-reconnaissance capabilities, and the relevant attack codes were also cleaned up before they were released.
The malicious code of the GoldenEye operation has a complex structure, perfect functions, strong anti-reconnaissance capabilities, and various versions of continuous improvement, showing the organization's highly professional development and maintenance.
In addition, we also found that even from the perspective of familiarity with financial business,
Operation GoldenEye was also highly professional. We have reasons to believe that the APT organization is actually composed of a group of computer experts and people familiar with financial business.
From the perspective of the purpose of the attack, the GoldenEye operation mainly steals sensitive transaction information of other financial institutions through malicious programs, and then uses these transaction information as investment intelligence for improper investment activities and earning illegal excess profits.
further reading
More content can be found in 360 Global Critical Information Infrastructure Network Security Analysis Report. Further study
contact us
T-ZZB 1187—2019 Self-adhesive waterproofing membrane for metal roofing.pdf