The Lurk virus hacked into banks while it was being written by ordinary remote workers for hire

An excerpt from the book "Invasion. A brief history of Russian hackers "

In May of this year, the publishing house Individuum published a book by journalist Daniil Turovsky “Invasion. A brief history of Russian hackers. It contains stories from the dark side of the Russian IT industry - about the guys who, having fallen in love with computers, learned not just to program, but to rob people. The book is developing, as is the phenomenon itself - from teenage hooliganism and forum parties to power operations and international scandals.

Daniel collected materials for several years, some stories were published on Medusa , for retelling Daniel's articles Andrew Kramer from the New York Times in 2017 received the Pulitzer Prize.
')
But hacking - like any crime - is too closed a topic. These stories are transmitted only between word of mouth between their own. And the book leaves the impression of insanely incompletely stirring curiosity - as if each of her heroes can be folded into a three-volume book “as it really was.”

With the permission of the publisher, we publish a small excerpt about the Lurk grouping, which robbed Russian banks in 2015-16.

---

In the summer of 2015, the Russian Central Bank established Fincert, a center for monitoring and responding to computer incidents in the credit and financial sector. Through it, banks exchange information about computer attacks, analyze them and get recommendations for protection against special services. There are many such attacks: in June 2016, Sberbank estimated the losses of the Russian economy from cybercrime at 600 billion rubles - at the same time, the bank had a subsidiary company, Bison, which is engaged in information security of the company.

The first report on the performance of Fincert (from October 2015 to March 2016) describes the 21 targeted attacks on bank infrastructure; As a result of these events, 12 criminal cases were initiated. Most of these attacks were the work of one group, which was named Lurk in honor of the virus of the same name developed by hackers: with its help, money was stolen from commercial enterprises and banks.

Police and cybersecurity experts have been looking for participants in the group since 2011. For a long time, the searches were unsuccessful - by 2016, the group had stolen about three billion rubles from Russian banks, more than any other hackers.

The Lurk virus was different from those that the investigators had met before. When the program was launched in the lab for the test, she did nothing (because she was called Lurk — from English to “lay low”). Later it turned out that Lurk is arranged as a modular system: the program gradually loads additional blocks with different functionality - from intercepting characters, logins and passwords entered on the keyboard to the ability to record a video stream from the screen of an infected computer.

In order to spread the virus, the group hacked sites that were visited by bank employees: from online media (for example, RIA Novosti and Gazeta.ru) to accounting forums. Hackers exploited a vulnerability in the banner exchange system and distributed malware through them. On some sites, hackers put a link to the virus for a short time: on the forum of one of the journals for accountants, it appeared on working days at lunchtime for two hours, but during this time Lurk found several suitable victims.

Clicking on the banner, the user got to the page with the exploits, after which the attacked computer began collecting information - mainly hackers were interested in the program for remote banking services. Details in the payment orders of banks were replaced by the necessary, and unauthorized transfers were sent to the accounts of companies associated with the grouping. According to Sergey Golovanov from Kaspersky Lab, in such cases groups usually use one-day companies, “who don't care what to transfer and cash out”: they cash out the money they receive, put it in bags and leave bookmarks in city parks, where hackers take them . Members of the group diligently concealed their actions: they encrypted all daily correspondence, registered domains for fake users. “The attackers use a triple VPN, Thor, secret chats, but the problem is that even a debugged mechanism fails,” Golovanov explains. - That the VPN will fall off, the secret chat is not so secret, then one, instead of calling via Telegram, just called from the phone. This is a human factor. And when you have accumulated a database for years, you need to look for such accidents. After that, law enforcement officers can contact providers to find out who went to such an IP address and at what time. And then the case is built. "

The detention of hackers from Lurk looked like an action movie. EMERCOM employees cut locks in country houses and apartments of hackers in different parts of Yekaterinburg, after which the FSB officers shouted inside, snapped hackers and threw them on the floor, searched the premises. After that, the suspects were put on a bus, brought to the airport, taken along the runway and taken to a cargo plane that flew to Moscow.

In the garages owned by hackers, found cars - expensive Audi models, Cadillacs, Mercedes cars. Also found a watch inlaid with 272 diamonds. Withdrawn jewelry for 12 million rubles and weapons. In total, the police conducted about 80 searches in 15 regions and detained about 50 people.

In particular, all technical specialists of the group were arrested. Ruslan Stoyanov, a Kaspersky Lab employee who was investigating Lurk’s crimes together with the special services, said that the leadership was looking for many of them on regular recruitment sites for remote work. The fact that the work will be illegal, in the ads said nothing, and the salary in Lurk offered higher than the market, and you could work from home.

“Every morning, except for weekends, in different parts of Russia and Ukraine, individuals sat at computers and started working,” Stoyanov described. “The programmers docked up the functions of the next version [of the virus], the testers checked it, then the botnet officer uploaded everything to the command server, after which the automatic update took place on the bots.”

The consideration of the case of the group in court began in the fall of 2017 and continued in early 2019 due to the volume of the case, in which there are about six hundred volumes. A hacker lawyer hiding his name said that none of the suspects would make a deal with the investigation, but some admitted some of the charges. “Our clients did work on the development of various parts of the Lurk virus, but many were simply not aware that this was a Trojan program,” he explained. “Someone did some of the algorithms that could successfully work in search engines.”

The case of one of the hackers grouped in a separate proceeding, and he got 5 years, including for breaking the network of the airport of Yekaterinburg.

In recent decades, in Russia, the security services managed to defeat most of the large hacker groups that violated the main rule - “Do not work for ru”: Carberp (stole about a billion and a half rubles from Russian bank accounts), Anunak (stole more than a billion rubles from Russian banks), Paunch (created platforms for attacks through which up to half of the infections around the world passed) and so on. The incomes of such groups are comparable to the earnings of arms dealers, and dozens of people are in them besides the hackers themselves - guards, drivers, cashiers, owners of sites where new exploits appear, and so on.