A joint cybercrime operation in Russia has resulted in the arrest of 50 members of a gang suspected of orchestrating the theft of 1.7bn roubles ($25m; £18m) from banks and financial institutions in the country.
In what has been dubbed the biggest ever crackdown of financial hackers, the Russian Interior Ministry, working alongside partners including the Federal Security Service (FSB) and security firm Kaspersky Lab, said the operation also helped to prevent the loss of a further 2.3bn roubles by halting pending money transfers.
The cybercrime gang used a sophisticated piece of Trojan malware called Lurk to create a botnet of infected computers before launching targeted attacks against Russian banks, businesses and media companies.
While the individual firms were not disclosed, one major institution, called Sberbank, was named as one victim which then closely aided in the investigation.
While exact details remain unclear, a source close to the operation told the TASS news agency that six banks were targeted, including Metallinvestbank, Russian International Bank, Metropol and Regnum between March and April this year. The source added: "Cybercriminals obtained remote access to Metallinvestbank's systems and transferred funds to accounts under their control."
As reported by Reuters, and outlined in a statement from the Interior Ministry (translated with Google Translate), a series of 86 raids took place across 15 separate regions in Russia with footage reportedly showing armed police using battering rams to access the suspects' homes.
"As a result of searches a large quantity of computer equipment was confiscated along with communications gear, bank cards in false names, and also financial documents and significant amounts of cash confirming the illegal nature of their activity," the FSB said in a statement, before adding the National Guard was also involved in the arrests.
According to Kaspersky security experts, the Lurk malware first emerged in 2011 and quickly gained notoriety for being a ruthless Trojan that targeted consumer and enterprise systems. This changed at the start of 2015 when it was uncovered the malware was actively being used to attack banks.
"We realised early on that Lurk was a group of Russian hackers that presented a serious threat to organisations and users," said Ruslan Stoyanov, head of computer incidents investigation at Kaspersky Lab. "Our company's experts analysed the malicious software and identified the hacker's network of computers and servers. Armed with that knowledge the Russian Police could identify suspects and gather evidence of the crimes that had been committed."
According to the BBC, a Russian security firm called Group IB claimed the gang using Lurk had recently changed tactics by using another type of malware called Buhtrap to launch so-called Advanced Persistent Threat (APT) attacks on major banks. APT threats are traditionally extremely difficult to defend against as they are highly tailored and often use previously unknown computer bugs to infiltrate vital systems.
Meanwhile, in a broader scope, the Interior Ministry said that cyberattacks against Russian banks since mid-2015 had already netted criminals with over 3bn roubles ($45m; £31m) in total.
The crackdown comes amid an escalation in cyberattacks targeting banks across the globe. In one recent heist, cybercriminals were able to steal $81m (£56m) from the Bangladesh central bank. The subsequent investigation, which remains ongoing, quickly spiralled to include numerous banks in Ecuador and Vietnam. Now, investigators are analysing the Swift system – a secure messaging service used by banks – to check for potential vulnerabilities that could have aided the hackers.