The Privilege Escalation Cycle and Its Role in Russia’s Anunak Cyber Attack
February 3, 2015 | Security and Risk | Andrey Dulkin
Researchers from Russian cyber investigations firm Group-IB and Dutch security firm Fox-IT recently published a joint report detailing the activities of Anunak, the Russian hacker group who is said to have brought about the “armageddon” of the Russian banking industry. Named after the primary malware program in its arsenal, Anunak has been linked to numerous cyber attacks on U.S. and European retailers. While the group carried out attacks in multiple verticals, including media groups, government agencies and retail, its most lucrative operation has focused on Russia’s finance industry.
Unlike most attackers who target the customers of banks and financial institutions, Anunak targets the institutions themselves. Since 2013, Anunak has successfully infiltrated 50 Russian banks and five payment systems. After making their way inside these organizations, the hackers exploited privileged accounts in order to compromise internal networks, workstations and servers. This access allowed them to transfer funds to accounts under their control and even infiltrate 52 separate ATM systems and make off with the cash. In some cases, the damage has been so severe that financial institutions have lost their banking licenses altogether. The report estimates Anunak has stolen as much as $18 million (or 1 billion rubles) – making off with roughly $2 million per breach. The group has also ventured beyond financially motivated attacks, compromising media groups and other organizations in search of intellectual property (and likely a trading advantage in the stock market). In cases where the group gained access to government agency networks, their aim was espionage.
This criminal enterprise is still very much alive, posing a threat to enterprises worldwide. So how can you protect your organization against such cyber threats when so many others before you have failed and suffered catastrophic damage as a result?
The first step requires a mindset shift. No matter what, motivated attackers will find a way to get in. And as phishing methods (such as those employed by Anunak) become increasingly sophisticated, employees increasingly become a highly likely point of infiltration. Once inside, attackers focus on hijacking and exploiting unprotected privileged accounts and credentials (such as a systems administrator’s credentials, for example), enabling them to move laterally across the network, gain access to critical systems and exfiltrate stolen data. According to CyberArk’s recently published Cyber Threat Report, over 80 percent of all serious security incidents included a compromise and misuse of privileged accounts at some point in the attack process.
If the Anunak attacks teach us anything, it’s that while cyber attackers may have different motives or end goals, their pathways are usually the same: commandeer privileged accounts, escalate access to move across the network and steal critical data and assets without detection. This privileged escalation cycle is something we see time and time again, and organizations need to be prepared to protect against it. By implementing the necessary tools and infrastructure to manage, continuously monitor and track privileged account activity, along with the analytics and intelligence to identify anomalous activity, organizations can protect themselves and enable a quick response, making it possible to mitigate potential damage early in the attack cycle.
Learn more about privileged account exploits and read first-hand accounts from some of the world’s top cyber forensics and incident response professionals in our Cyber Threat Report.