Dark army hackers. Anonymous (hackers): programs, hacks and reviews

Hackers from the Cobalt group, who forced ATMs in Taiwan and Thailand to throw out money in the summer of 2016, attacked more than 250 organizations around the world in the first half of 2017, sending letters on behalf of Visa and MasterCard

Photo: Markku Ulander / Lehtikuva / TASS

​The hacker group Cobalt, known for large-scale attacks on financial institutions, as a result of which ATMs began dispensing money, and allegedly having Russian roots, significantly expanded its scope of activity in 2017. According to a report from the information security company Positive Technologies (available from RBC), in the first half of 2017, Cobalt sent phishing emails containing infected files to more than 3 thousand recipients from 250 companies in 12 countries. To the list of Cobalt's traditional targets located in the CIS, Eastern Europe and Southeast Asia, companies located in North America, Western Europe and South America, in particular Argentina, were added. The group’s interests now include not only banks, but also stock exchanges, insurance companies, investment funds and other organizations.

According to experts, hackers' methods are evolving. Now, before attacking banks, Cobalt first hacks the infrastructure of their partners - a quarter of all attacks occur on government organizations, industrial companies, telecommunications operators and medical enterprises. “Attacks on non-financial organizations are carried out with the aim of preparing a springboard for subsequent attacks on banks. For example, attackers can send phishing emails on behalf of a regulator or a partner of a bank for which it provides services,” Alexey Novikov, deputy director of the competence center for expert services at Positive Technologies, explained to RBC. He notes that financial institutions are much better protected from cyber threats than government agencies and companies in the industrial sector. “They are constantly improving their defense mechanisms due to frequent attacks on their infrastructure, so it is easier for attackers to hack the infrastructure of a bank’s counterparty or a government organization to carry out a direct attack on the bank,” says Novikov.

Attacks on the financial sector, which account for 75% of all efforts by hackers from this team, have become more sophisticated. The group massively sends phishing emails from fake domains that imitate messages from Visa, MasterCard, the Financial Cyber ​​Attack Response Center of the Central Bank of Russia (FinCERT) and the National Bank of the Republic of Kazakhstan, Positive Technologies said. For these purposes, Cobalt used at least 22 fake domains imitating the websites of large financial organizations and their counterparties.

Who is who

Experts consider several groups to be the most dangerous for the banking community - Lurk, Buhtrap, Carbanak, Lazarus.

Hackers from the Lurk team, who created the banking Trojan of the same name, were able to steal more than 1.7 billion rubles from the accounts of Russian banks before the Ministry of Internal Affairs and the FSB were detained in June 2016. Law enforcement authorities arrested about 50 people associated with this group and blocked fictitious payment orders for another 2.3 billion rubles.

The Buhtrap group was noticed by information security experts in 2014. According to Group-IB, which specializes in preventing cyber threats, from August 2015 to February 2016, its hackers stole 1.8 billion rubles from Russian bank accounts, carrying out 13 successful attacks. Among the victims were Metallinvestbank and Russian International Bank. The criminals sent victims fake messages containing infected files on behalf of the Central Bank. Experts from Group-IB and Positive Technologies associate the hackers from Cobalt with the activities of this group. “Probably, part of the Buhtrap group or even its main backbone moved to Cobalt. At the moment, Cobalt, of course, leads in terms of the degree of danger to the domestic financial environment as the most professional and technically savvy,” experts from Positive Technologies say.

Kaspersky Lab is of the opinion that Cobalt members come from another dangerous group, Carbanak, whose first attacks were recorded in 2013. “In 2014-2015, when stealing funds from banks, the Carbanak malware was used, the operation of which required a certain infrastructure - network addresses. Then the same addresses were used to control the malicious program that was included in the malicious software,” said Sergey Golovanov, leading anti-virus expert at Kaspersky Lab. According to him, the Carbanak group consists of about a hundred people, and the damage from its actions has already exceeded $1 billion. On average, one attack costs Russian banks tens of millions of rubles, says Golovanov.

Another group that specifically targets banks is Lazarus, best known for stealing $81 million from Bangladesh Bank in 2016. According to the Group-IB report, these hackers may be close to the DPRK government agencies, as they carried out some of the attacks from the Potongan region of Pyongyang, where the headquarters of the DPRK National Defense Committee is located.

Hackers from a community called Metel, who may now have ceased their activities, also caused a lot of concern. They have been active since 2011 and over several years were able to compromise accounts worth more than $250 million. During the attack on Energobank in 2016, Metel’s actions caused the ruble exchange rate to change by more than 15% and caused damage to the bank in the amount of 244 million rubles.

How do they attack?

A typical Cobalt attack consists of several stages, says a representative of Positive Technologies. First, fake domains are registered, supposedly belonging to large companies such as Visa. Then, banks and their counterparties are sent a phishing email containing a malicious file, usually a Microsoft Word document. After the user opens this attachment, a program is launched that prevents anti-virus protection systems from responding to the virus. After that, the Trojan itself is downloaded, which allows you to organize remote access to the work computer of an employee of the victim company. Next, attackers can either develop an attack within the organization, or send a letter from a hacked desktop with similar malicious software to another organization.

“Our statistics show that on average 20-30% of employees open potentially dangerous investments that jeopardize the entire security of the company. But in this case, the percentage of those who opened it was 2-2.5 times higher, since the letters were sent on behalf of the counterparty, and in some cases even on behalf of specific employees,” says Positive Technologies.

The head of the dynamic analysis of malicious code at Group-IB, Rustam Mirkasymov, says that the main goal of Cobalt is still the theft of money from financial organizations, but hacker attacks have indeed begun to affect not only banks. “Our Threat Intelligence system identified attacks on law firms, insurance companies, information and news agencies, and leasing companies. This is done in order to test the attack for effectiveness for further attacks on the banking infrastructure. There are already known cases when the infrastructure of a large integrator was used by this group to carry out attacks on banks in Romania, Kazakhstan, Azerbaijan, Moldova, Russia, etc.,” says Mirkasymov. According to him, the average amount of theft per incident is about 100 million rubles.

The damage to Russian banks from the actions of hackers in 2016 amounted to just over 2 billion rubles, Artem Sychev, deputy head of the main department of security and information protection of the Central Bank, previously reported. The average damage from a cyber attack in this period in the world averaged $926 thousand per financial organization, according to the Kaspersky Lab report. At the same time, the average annual expenditure of one bank on cybersecurity, according to the company, now reaches $58 million worldwide, which is three times more than that of non-financial organizations.

Over the past week, many of us have heard for the first time about the hackers from Lizard Squad, who have already managed to claim responsibility for two sensational DDoS attacks: on the Malaysia Airlines website, which began redirecting users to a page with the inscription “404 - plane not found”, and on Facebook, which was unavailable for a full 40 minutes.

Facebook, however, denied rumors of a hacker attack; Instead, the site's malfunction was blamed on developer error. Malaysia Airlines has also already managed to assure users that the site was not hacked, but was simply temporarily transferred to a different domain name.

And yet, who are the Lizard Squad? Just another “hacktivist” trying to convey their political agenda, or a group of teenagers having fun? Do they pose a real threat or are they only strong in name? And what is their place among other hacker groups? Below we will talk about the hackers who have made themselves known most loudly lately.

Lizard Squad gained fame after attacks carried out on major IT companies, including Sony, Microsoft and Facebook. The general public first heard about them in August 2014, when they hacked several online games, including League of Legends and Destiny. They were followed by more significant attacks on Sony's Playstation Network and Microsoft's Xbox Live.

It seems that the hackers have personal scores with Sony. In August 2014, they reported a bomb on board the airliner that one of the company's presidents was supposed to fly on. As a result, the plane made an emergency landing.

In addition, the group hints at its involvement in the Islamic State. During the attack on Malaysia Airlines, they called themselves the “Cyber ​​Caliphate” (also the name of the hacker arm of the Islamic State). Moreover, in August they planted an ISIS flag on Sony servers.

At first glance, Lizard Squad appears to be driven purely by political motives, but it is likely that what is more important to them is to demonstrate the capabilities of their Lizard Stresser service. Thus, claims of links to the Islamic State may be nothing more than an attempt to attract more media attention.

Following the attacks on PSN and Xbox Live, American and British authorities conducted an investigation, which ended with the arrest of a 22-year-old resident of Twickenham and a teenager from Southport (Britain).

Probably the most famous hacker organization, Anonymous is a decentralized association of tens of thousands of “hacktivists” who work together to hack websites as a way of protesting.

The group gained fame after attacks on a number of large political, religious and corporate resources. Their accomplishments include hacking the Pentagon website, threatening Facebook and Los Zetas, a Mexican drug cartel, and declaring war on the Church of Scientology.

In 2010, Anonymous launched Operation Payback after Visa, MasterCard, PayPal and other companies refused to serve WikiLeaks. They also openly supported the Occupy Wall Street movement in 2011 by attacking the New York Stock Exchange website.

Since 2009, numerous people have been arrested on suspicion of involvement with Anonymous in America, the UK, Australia, the Netherlands, Spain and Turkey. However, the organization protests against the persecution, calling those arrested “martyrs of the movement.”

The group's motto reads: "We are Anonymous. Our name is Legion. We don't forgive. We don't forget. Wait for us".

LulzSec (short for Lulz Security) formed shortly after the HBGary Federal hack in 2011 and was originally a subsidiary of Anonymous. The main driving force of the group was seven people who chose the phrase “We've been laughing at your safety since 2011” as their motto.

The group carried out its first attack on Fox.com, stealing several passwords, LinkedIn accounts and the names of 73 thousand X-Factor participants. In 2011, they went further by hacking the CIA website.

LulzSec have become famous for the large organizations they target and the scathing messages they leave on sites after hacks. Some experts regard the organization’s activity more as a prank than a real threat, but the group’s members claim that they are capable of taking more serious steps.

In 2011, the group released a statement, “50 Days of Lulz,” in which they announced their dissolution. However, on July 18, they carried out another attack on newspapers owned by the News Corporation holding company, filling them with fake news about the death of the company's owner, Rupert Murdoch.

In 2012, the FBI arrested the main participants following a denunciation by the group's leader, Hector Monsegur, known under the nickname Sabu. According to prosecutor Sandeep Patel, the hackers lacked Anonymous's political ambitions and imagined themselves as "modern pirates."

The Syrian Electronic Army (SEA) has openly stated that it supports the government of the current Syrian President Bashar al-Assad. Their main target is the political opposition and Western websites, especially news resources and human rights organizations.

The group’s relationship with the Syrian government is not very clear. On its official website, SEA describes itself as “a group of young Syrian enthusiasts who cannot calmly respond to the misrepresentation of the recent uprisings.” Some experts believe that hackers may actually receive government funding.

The main methods of SEA are spam, defacement, phishing and malware distribution. Often, hackers replace a company's web page with messages supporting the current government or an image of the Syrian flag.

The Syrians have already managed to hack the Facebook pages of Barack Obama and Nicolas Sarkozy, as well as the Twitter accounts of news agencies and IT companies. However, the messages they leave after the hack vary greatly in style: some of them are serious and openly political, as well as ironic.

High technology, encoding information and solving mysteries are the main interests of modern hackers in the world. Most of them prefer to remain in the shadows, because the nicknames of hackers are often hidden; in other cases, practically nothing is known about the lives of active network users. But there are still a certain number of hackers who are known throughout the world.

Popular American hackers and their nicknames

Researchers have compiled their list of the most advanced hackers in America. Among the most popular was Dark Dante. The hacker's nickname translates as "dark Dante", which was worn by the American Kevin Poulsen. Today the guy is called an “honorary retired hacker.” His main specialty is hacking telephone lines.

At one time, Kevin won a Porshe, which was raffled off on the radio station KIIS-FM, thanks to his ability to cheat the system. On the other hand, he was also engaged in an active online search for individuals who were looking for pornographic videos on the Internet. Unfortunately, Poulsen did not stop there and decided to prove his abilities to the whole world by penetrating the FBI database. After this he was sentenced to 5 years. And today Kevin works as an editor for one of the American magazines and often describes his hacker exploits.

C0mrade is another hacker alias, which means “comrade” in English. Its owner, Jonathan James, is famous for his criminal biography. And he was convicted at the age of 16 for malicious code that he placed on a server of the US Department of Defense. Interestingly, in 1999, Jonathan first attacked NASA databases, on the protection of which management spent more than $1.7 million. After this the guy was convicted. However, in 2007, a scandal broke out again: someone stole data from clients’ credit cards and suspicion fell on the former hacker. He was unable to prove his innocence of those involved, so he found the only way out and shot himself that same year.

Homeless hacker has become another netizen who has become famous for his abilities. Translated, the nickname for a hacker means “homeless hacker,” since Adrian Lamo almost always used public computers, which made it extremely difficult to identify him. At one time, he hacked the Yahoo! search engine, Bank of America servers, and was even able to access data from The New York Times. As punishment, Adrian paid a fine of $65,000 and spent several years under house arrest. Today the guy is one of the famous journalists in America.

Nicknames of Russian hackers

Nicknames of hackers from Russia are often recognizable at first sight. The most popular of them is Mugg, which belongs to Alexey Belan. In 2012, he hacked the networks of large American companies and also used the personal data of employees. To this day, Belan has not been found, and his trace was lost in Athens. The hacker may be in Russia today.

Nicknames of hackers in the world are often united by hacker groups and have a single name, like, for example, the names of hackers in one of the Russian groups - Fancy Bear, which means “unusual bear”. Interestingly, its members are credited with collaborating with the Kremlin. At one time they attacked US defense sites.

The Fancy Bear group is also associated with direct interference in the American presidential election. And in 2016, they were accused of a cyber attack on Macron’s election staff.

The most famous hacker groups

Today the world knows the most active hacker groups: Anonymous, Lizard Squad and The Lulz Boat. One of the well-known hacker structures is Anonymous, which means “anonymous”, which has been operating since 2003. This is an international organization that does not have a single control center. Since 2015, they have become associated with cyberterrorists, and Times magazine noted that Anonymous is among the most influential organizations in the world.

Lizard Squad is another group of hackers. Translated it means “team of lizards.” It was founded in 2014, but despite the fact that it existed for about 6 months, it has become one of the most famous in the world. This organization is known for repeated attacks on the servers of the games Destini and League of Legends. Initially, their actions were not taken seriously, but in the future it became known that Lizard Squad was actively sharing posts in support of ISIS and the DPRK. Today, most of the participants are under arrest for acts of fraud and unauthorized access to servers.

The Lulz Boat is one of the three most famous hacker groups. Was founded in 2011. Translated, the group's nickname means “laughing boat.” They gained access to Sony user accounts and also attacked the website of the US Senate and police agencies. Already in 2012, most of the participants were arrested. But it is also interesting that almost all the information regarding the activities of The Lulz Boat was leaked to the police by the leader of this hacker group, Hector Xavier, since he was recruited by the authorities back in 2011.

Single hackers and their groups have recently become a common occurrence for most network users. Large companies are actively involved in the protection of personal data even today, but every day new cyber attacks on servers become known. Nicknames of hackers are often not disclosed and remain only in the personal files of hackers, but information about the most famous and clever ones is leaked online from their fans, followers or even accomplices.

Hackers operate on the Internet constantly. However, only some of their attacks become truly large and legendary. It's time to take a look at some historical hacks.

Ashley Madison hack 2015: 37 million users

A group of hackers known as the Impact Team hacked Ashley Madison's servers and stole the personal data of 37 million users. The hackers then published the information they obtained on various websites. The tarnished reputation of users has had an effect around the world, including reports of users committing suicide due to the hack. This hack was memorable not only because the act was public, but also because the hackers gained fame as fighters against infidelity and lies.

Conficker virus from 2008: still infects millions of computers every year

Even though this powerful virus program has not caused irreparable damage, it still refuses to die. It is constantly hidden, and at the first opportunity it is copied onto other machines. But what is even more frightening is that this virus continues to open back doors on infected computers for further hacker attacks. This virus multiplies and spreads across different computers, where it lurks in the shadows while simultaneously turning your computer into a spam bot or reading your credit card information and passwords, then forwarding this data to hackers. This virus is a very smart computer program. It deactivates your antivirus to protect itself. It is so famous because of how persistently it continues to exist and how widely it has spread. Eight years after it was discovered, it is still surfing the Internet.

2010 Stuxnet virus: Iran's nuclear program blocked

This virus program, which weighed less than one megabyte, was launched into the network of Iranian nuclear plants. When the virus reached its destination, it took control of the entire system. He then ordered five thousand uranium centrifuges to spin without control, suddenly stop, and then start spinning again, while simultaneously sending reports that everything was fine. This chaotic manipulation continued for 17 months, leaving the factories to take on a life of their own and workers and scientists to question their own sanity. And during all this time no one knew what was happening. The insidious and stealthy attack did more harm than if these centrifuges were simply destroyed. The virus led thousands of specialists down the wrong path for a year and a half, wasting thousands of hours of work and millions of dollars in uranium resources. The hack is remembered for both its scope and cunning: the virus attacked the nuclear program of a country that was in conflict with the United States and other world powers, and it deceived thousands of scientists over the course of a year and a half while it carried out its dirty task in secret.

2014 Home Depot Hack: Over 50 Million Credit Cards

Using the password of one of the chain's merchants, hackers were able to steal the largest amount of credit card data in history. By exploiting holes in Microsoft's operating system, hackers were able to penetrate the servers before Microsoft attempted to close the holes. As soon as they were able to get into the chain's first store in Miami, the hackers began operating throughout the continent. They observed transactions taking place in 7 thousand cash registers of this network. They collected credit card information as users made purchases at these stores. This hacker attack is memorable because it was directed against a powerful corporation and millions of its trusted customers.

Spamhaus 2013: the largest DDOS attack in history

A DDOS attack is essentially a data flood. By using dozens of computers repeating the same signal at high frequency and at high noise levels, hackers are literally flooding and overloading computer systems on the Internet. In March 2013, this particular DDOS attack was so big that it slowed down the entire internet worldwide, as well as completely shutting it down in some parts of the world for entire hours.

2014 eBay hack: 145 million users

Many say it was the biggest breach of public trust in the history of online business. However, others say it was far less tragic than the mass theft, as only personal data was leaked, not financial information. No matter how you choose to look at this incident, millions of online shoppers have lost their password-protected data. This hack is especially memorable because it was incredibly public, and also because eBay was described in this situation as having very weak security and being very slow and inappropriate in responding to the situation.

2014 JPMorgan Chase Hack: 83 Million Bank Accounts

In 2014, Russian hackers hacked the largest bank in the United States and stole data from 7 million small business bank accounts and 76 million personal bank accounts. Hackers penetrated 90 bank computers and accessed the personal information of account users.

The Melissa virus of 1999: 20 percent of the world's computers were infected

A man from New Jersey released a macro virus onto the Internet, where it penetrated computers running Windows operating systems. This virus was disguised as a Word file attached to an email with the title "Important message from (person's name)." Once the user clicked on this attached message, the virus would activate and tell the computer to copy the virus as a mass mailing to the first fifty contacts.

LinkedIn hack disclosed in 2016: 164 million accounts

The hack, which was not discovered until four years after it happened, was memorable because the largest social network for employees was forced to admit the loss of data of 117 million users, which was then resold on the black market. What makes this hack significant is the amount of time it took the company to realize it had been hacked. Four years is quite a long time to realize you've been robbed.

Anthem Health Care Hack 2015: 78 Million Users

The databases of the second largest health insurer in the United States were subject to a covert attack for several weeks. Details of the break-in were not disclosed, but the company said no medical information was stolen. The hackers only managed to steal contact information and social security numbers.

Sony Playstation network hack 2011: 77 million users

In April 2011, a group of hackers called Lulzsec hacked Sony's Playstation network database, exposing the contact information, logins and passwords of 77 million players to the public. Sony says no credit card information was stolen. The company suspended the service for several days to improve the security system and patch holes.

2012 Global Payments Hack: 110 Million Credit Cards

Global Payments is one of the world's largest lender and vendor transactions companies. She specializes in small businesses. In 2012, the company's system was hacked by hackers who stole credit card information. Some cards whose data was stolen were then used to make illegal transactions.

Anonymous is an international group of hackers that has been hacking government websites for a long time.

Birth of a legend

Hackers from the Anonymous group are now known throughout the world. Not the hackers themselves, of course, but just their shares. But how did it all start, and what were their goals?

In its first phase of development, Anonymous saw its goal as simply freedom of the Internet and entertainment. They easily subjected the servers of copyright holders to DDoS attacks, carried out various humorous and not quite actions, but soon a bunch of amateurs grew to a decent size and turned into the international organization of hackers Anonymous, terrifying the governments of many countries. These cyber fighters easily hack the most secure sites, be it a CIA or Pentagon resource.

In fact, the hacker group Anonymous is so successful and not caught only because none of the group members has ever seen the other in person, and all communication takes place virtually. Their faces are always hidden behind Guy Fawkes masks from the movie “V for Vendetta.” In addition, Anonymous hackers are scattered all over the world from Great Britain to China, so there is no way to identify them. The police may arrest 2-3 people, but the organization will not suffer much damage.

Groups of anonymous hackers have formed in almost all developed countries of the world. And Russia is no exception. The group Anonymous Russia operates in the Russian Federation. Like every self-respecting organization, Anonymous also has its own Twitter account, where they inform people about the latest promotions and plans.

Anonymous and ISIS

Not long ago, Anonymous hackers declared war on (ISIS), a terrorist organization of Muslims. Craftsmen hacked about 5,000 militant accounts. This allowed them to find out where the militants were planning to carry out terrorist attacks. Anonymous published the results of their actions, and the world shook. Among the intended targets were France, Italy, the USA, Lebanon, and Indonesia. Now some hackers are working closely with the intelligence services of the above-mentioned countries in order to prevent a tragedy.

During the war with ISIS, Turkey also suffered from hackers. Turkish President Erdogan, Anonymous hackers found out how loyal he is to and promised the Turkish government retaliatory measures. A series of attacks were carried out on government servers, as a result of which they were blocked. In addition, Anonymous promised to “crash” the servers of Turkish airports and banks and completely paralyze their work.

Some IT security experts consider Anonymous's "war" against ISIS to be a frivolous endeavor. As one of the experts said, “they haven’t brought much harm to each other and are unlikely to do so, since on both sides there are people incompetent in terms of protection and hacking.” True, these words are somewhat at odds with how easily hackers overcome various website protections.

Anonymous and China

In addition to ISIS, the Anonymous hacker group also decided to attack China. Hackers were not satisfied with the Chinese government's attitude towards Internet freedom and freedom in general. As a result, they hacked about 500 websites belonging to the Chinese government. The sites were blocked for a long time, and instead of information from the Chinese Communist Party, they contained ways to bypass the blocking of unwanted information imposed by the “repressive government.”

Official China itself does not confirm the attack on its servers. However, the fact is clear. Anonymous decided to raise the people of the Celestial Empire to fight against censorship and restrictions on freedom. On the official Anonymous Twitter channel, hackers call on the people of this country to rise up and, together with them, continue to attack the servers of the Communist Party until “the regime collapses.”

Strike against Russia

Russia has not escaped the interest of hackers either. The Russian organization Anonymous hacked Kremlin websites. True, the hackers did not cause much damage, but it was more of a show of force. Having gained access to the personal data of officials, hackers could “leak” it all into the network. And then another scandal would probably break out.

However, something has leaked out. In addition to the official Kremlin website, Anonymous hackers also hacked the website of the Nashi organization, which at one time actively promoted Vladimir Putin. And here very interesting data surfaced about the financial costs of campaigning the population of the Russian Federation. The hackers promised to put on the network the history of the dark deeds of the United Russia party if Nashi did not stop their propaganda.

True, a biased political motive is beginning to be traced in their actions. Recently, hackers from the Anonymous group published information that does not stand up to any serious criticism, allegedly it was Russia, and not Ukraine, that cut off the water to Crimea. According to them, Russia deliberately turned off the pumps and paralyzed the water supply, blaming Ukraine for this, in order to increase the level of its influence in Crimea. The assumption is more than absurd.

Other countries

Anonymous hackers did not ignore other states, which caused their displeasure with one or another action. They carried out hundreds of attacks on websites. The website of the Prime Minister of Japan, for example, was inaccessible for a very long time. The US only recently restored the CIA server after their attacks. And in London, hackers broke into the servers of well-known companies Visa and MasterCard. In Canada, government websites were also attacked. Again, the Church of Scientology website was subjected to DDoS attacks in the United States. One gets the feeling that Anonymous has declared war not only on ISIS or China, but on all countries and governments at once.

Instead of a conclusion

Anonymous amazes with their abilities. Attacking well-protected servers of various countries is a rather difficult and troublesome task. The only thing that helps them is that the hackers are scattered all over the world, and identifying them is not so easy. But failures also happen. For example, in London, two people were arrested during an attack on MasterCard and Visa.