This report describes the details and type of operations carried out by an organized criminal group that focuses on financial industry, such as banks and payment providers, retail industry and news, media and PR companies. […] The organized criminal group backbone are citizens of both Russian and Ukrainian origin. […]

The average sum of theft in the Russian territory and in the post-Soviet space is $2 million per incident. […] To date the total amount of theft is over 1 billion rubles (about 25 million dollars), most of it has been stolen in the second half of 2014. […]

The key is that fraud occurs within the corporate network using internal payment gateways and internal banking systems. Thus money is stolen from the banks and payment systems, and not from their customers. While this is their main and most lucra- tive activity, the gang has also ventured into other areas including the compromise of media groups and other organizations for industrial espionage and likely a trading advantage on the stock market. […]

The average time from the moment of penetration into the financial institutions internal network till successful theft is 42 days.

As a result of access to internal bank networks the attackers also managed to gain access to ATM management infrastructure and infect those systems with their own malicious software that further allows theft from the banks ATM systems on the attackers command. […]

The main steps of the attack progression are the following ones:

1. Primary infection of an ordinary employee computer.
2. Getting a password of a user with administra- tive rights on some computers. For example, a password of a technical support engineer.
3. Gaining legitimate access to one server.
4. Compromising the domain administrator password from the server.
5. Gaining access to the domain controller and compromising of all active domain accounts.
6. Gaining access to e-mail and workflow servers.
7. Gaining access to server and banking system administrator workstations. 

8. Installing the software to monitor activity of interesting system operators. Usually photo and video recording was used.
9. Configuring remote access to servers of inter- est including firewall configuration changes.

{ Group-IB and Fox-IT | PDF }

economics, scams and heists, spy & security, technology | December 27th, 2014