Hacking group targets UK financial sector

Attacks since January using bespoke Trojan linked to the Carbanak gang

British banks are being assailed by two hacking groups looking to exploit security weaknesses in the SWIFT global payments systems in order to steal millions.

That is the latest warning from security software company Symantec, which claims that a campaign has been running since January.

The group has been using a Trojan that Symantec calls Trojan.Odinaff which, it claims, has been targeting financial organisations worldwide.

However, the attacks look more broad-based than the one that resulted in $81m being stolen from Bangladesh Bank in February - a sum that would have been much worse but for a crass typographical error and the diligence of a clerk at a correspondent bank.

Symantec has linked the Odinaff Trojan with the Carbanak group, which is believed to be based in Russia and has been targeting financial institutions since at least 2013.

"Odinaff is typically deployed in the first stage of an attack, to gain a foothold on the network, providing a persistent presence and the ability to install additional tools on the target network," claimed Symantec.

"These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013 [with] Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

"These attacks require a large amount of hands-on involvement, with methodical deployment of a range of lightweight back doors and purpose-built tools on computers of specific interest.

"There appears to be a heavy investment in the co-ordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose-built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed."

Symantec said that while one quarter of the attacks that have been uncovered have been in the US, and one fifth in Hong Kong, 12 per cent of the attacks have been targeted at financial institutions in the UK, and four per cent in Ireland.

Ukraine has been the target of eight per cent of the attacks so far - an unusually high proportion given the size of the country's economy and banking sector - suggesting that the attackers are based in Ukraine or Russia.

While the attacks have not been exclusively aimed at the financial sector, it accounts for 35 per cent of the attacks.

The Trojan, claims Symantec, has been seen in up to 20 of the company's financial institution customers where it has been used to try to infiltrate the banks' SWIFT payments systems.