Executive Summary

Impact

Technical Impact

• System infrastructure destruction
• Data encryption

Business Impact

• Financial loss of the targeted organization
• Espionage
• Data leakage
• Data loss

Mitigation

• Use up-to-date software
• Apply regular backup for data
• Apply least privilege access for files and directories
• Encrypt sensitive information
• Restrict web-based content
• Keep remote data storage

Technical Analysis

Execution

• The group initially gathers as much information as possible about their target, starting by collecting information either about one of the target’s personnels or third party vendors (SWIFT systems).
• After gathering information, the attackers initialize the access by using the method of Watering Hole attack, or the attackers leverage any existing outdated Linux server with vulnerabilities.
• In the next step they conduct internal reconnaissance of the infected environment by using a set of malwares and internal tools to scan the system.
• Once the attackers gather the required information, they start pivoting to SWIFT servers (if there is any) and install the malware necessary to conduct the reconnaissance in infected servers and implant backdoors within those servers.
• In this stage the attackers start executing malwares that enable them to insert fraudulent SWIFT transactions to transfer money to other accounts that could be located in other countries. 
• In the final stage the attackers try to destroy any evidence of their existence in the infected system. The actions that are taken include deletion of log files, disk-wiping, and in some cases they may even use ransomware to thwart future detection.

Tactics, Techniques and Procedures

Tools and Malwares Used

Indicators of Compromise