Russia’s PIR Bank was hit by hackers recently, in a digital heist which stole close to $1 million and tried to get much more. The hack's core trick highlights an area of cybersecurity which is often neglected: hardware connected to computer networks which laymen wouldn’t normally consider a computer.
According to the digital forensics firm called in by PIR Bank to investigate the heist, it shows every indication of being the work of a group known inventively as “MoneyTaker,” which is believed to have been behind attacks on at least 16 U.S. banks, as well as several in Russia and an unnamed banking software company in the U.K.
The attackers penetrated the network of PIR Bank via a router at a branch location sometime in early May. Once that initial foothold was achieved, they were able to move around internally, finding the right machines to target and setting up other backdoors while carefully covering their tracks by deleting logs.
When everything was in place, they initiated transfers to accounts at 17 major Russian banks, and those accounts were quickly emptied by money mules. Although bank employees spotted some suspicious activity and sounded the alarm, it was too late to prevent significant losses.
When we think about securing our computer systems, we tend to think mainly in terms of the desktop PCs and laptops used by everyday folks, and the servers doing the heavy lifting in the background.
A typical network has an outside edge which is heavily secured, and an internal portion which is carefully monitored for signs of attack and other suspicious actions, but otherwise considered less risky than the unknown outside world. We all need at least a little openness and flexibility in these internal zones in order to get our work done.
The servers at the outside edge, and the other system used by people on the inside, are all secured by combinations of anti-malware software, firewalls, intrusion- and anomaly-detection systems, and numerous other features and configurations.
But there’s a lot more to networks than just the actual computers. In between them all are various pieces of hardware moving traffic around — the network routers and switches which sit quietly in server rooms or under floors, doing their job with minimal interaction from their owners.
Routers are essentially single-purpose computers, dedicated to receiving traffic down one piece of cable, perhaps checking or adjusting it slightly, before sending it out again down another cable. They don’t usually have the option of running additional security software, but rely on careful configuration to ensure they do their work properly.
When a bug is found in the software controlling the router, it can often lead to serious problems, especially if the bug allows it to be hijacked remotely. In the right circumstances, a router on the edge of a network can be compromised via a vulnerability in its coding, and made to blur that dividing line between the outside and the inside. In effect, it becomes a bridge allowing attackers to jump over all the security in place at the network edge and land right in the middle of the supposedly secure internal zone.
Consequently, router flaws are a major target of groups like MoneyTaker. The only way to minimize the risk is to ensure patches are applied to all vulnerabilities, usually in the form of an update to the firmware, which forms both the operating system and the basic ruleset of the router. Of course, this relies on these flaws being spotted by the “good guys,” and fixes being made available before the attackers learn about them and start taking advantage.
It’s not just code vulnerabilities in hardware maintained by IT teams which banks and payment companies need to worry about — there’s also the danger of rogue equipment finding its way into a network.
A good example is the spate of attacks on U.K. banks back in 2013, when crooks boldly strolled into branches of Barclays and Santander pretending to be IT engineers, and planted remote-control Keyboard-Video-Mouse switches on bank systems. These tiny boxes would be all but invisible in the tangle of cables, dongles and adaptors tucked away behind the average PC, but had the power to connect to remote networks and grant attackers access to internal systems.
So it’s vital that IT staff take a holistic view of security, not only ensuring their actual computers are secured with the best policies and software, but also keeping a close eye on everything else connected to the network, making sure it is all monitored, tracked and kept updated.