Hackers used malware to infiltrate a regional Russian bank and manipulate the ruble-dollar exchange rate by more than 15 percent in minutes, according to a cybersecurity firm investigating the attack.
Russian-language hackers used Corcow Trojan to open a backdoor into Kazan-based Energobank’s systems in February 2015, and then place over $500 million in orders at non-market rates, Group-IB told Bloomberg.
The swing resulted in a Russian central bank investigation into possible market manipulation.
“This is the first documented attack using this virus and it has potential to do much more damage,” said Dmitry Volkov, the head of Group-IB’s cyber intelligence department. “Once the malware has penetrated a local network, it is sophisticated enough to infect computers that are even not connected to the Internet.”
The firm says antiviruses are not effective against the Corcow Trojan, which can hide undetected in a bank's systems for more than six months.
The Moscow Exchange has said that its systems were not hacked in the incident. A separate investigation by the central bank found no evidence of currency manipulation, blaming the swing — which lasted 14 minutes and caused the exchange rate to fluctuate from 55 and 66 rubles per dollar — on traders’ mistakes.
The central bank claimed losses of 244 rubles, or $3.2 million, according to local news reports. Group-IB said that while there is no evidence the hackers benefited financially from the hack, they may have been laying groundwork for a later attack.
Corcow Trojan itself is not new. Although it was first seen in 2011, according to security researcher Graham Cluley, it “more-or-less fell off the radar during 2012 only to see a sudden resurgence” in 2013.
The virus contains a specific module to subvert a popular Russian banking system used to facilitate speedy electronic exchanges, according to Cluley.
In a separate incident discovered in August 2015, a Corcow Trojan attack on ATM card systems serviced cash withdrawals from Visa and MasterCard cards under a special tariff, according to a Group-IB report on the virus.
Around 250 banks used the infected system, resulting in hundreds of millions of stolen rubles.