Russian hacker gang steals with impunity, says researcher

Those behind Coreflood botnet snag 463k usernames, access to jacked bank accounts

The Russian hacker gang using a Microsoft administration tool to steal passwords has cashed in big time for years, the researcher who has tracked the group's crimes said Thursday.

A sampling of 11 per cent of the stolen accounts found in one directory on the gang's command-and-control server found more than a quarter-million dollars at risk, said Joe Stewart, director of malware research at SecureWorks.

Stewart laid out that and more on Thursday as he detailed the inner workings of a cybercrime gang using the Coreflood Trojan horse to infect massive numbers of PCs, then sift through the machines for confidential information, including bank account numbers and passwords.

"The one thing that they're looking for is larger accounts that they can clean out," said Stewart. "They haven't automated the money transfer part of the process, so they're looking for the biggest accounts to get the most money the quickest."

Stewart has been releasing research on the group for more than a month as he works his way through more than 50GB of data he snatched from a server the gang had been using as a data repository. In July, for instance, Stewart disclosed how the gang uses a Microsoft program called PsExec to spread their password-stealing Trojan from a single infected PC to every Windows system on a company network.

In his most recent findings, Stewart spelled out how much money the group has had access to, as well as the number of users whose information was hijacked. As before, Stewart culled the information from a Coreflood command-and-control server he had helped shut down earlier this year.

Among the mountains of evidence on the server were the results of automated scripts that checked the validity of bank accounts, and in the process obtained the account balances. Of the 79 accounts the cyber crooks tested -- from among 740 stolen accounts on file in a single directory -- the highest balance was US$147,000, while the averages were $4,553 for each savings account and $2,096 for each checking account.

The total exposed in the 79 accounts for which the hackers had usernames and passwords was US$281,000. "And that's a conservative estimate of what they could get," said Stewart. "This was only a fraction of the accounts they had stolen."

The group has been stealing with apparent impunity for years, said Stewart; the server he accessed had been in continuous operation since 2005, for example. And they've done well, since he found approximately 463,000 usernames and passwords on the server. More than 8,400 of those were bank or credit union account usernames and passwords, while 3,200 gave access to users' credit card accounts. Stewart also found 416 online stock trading account usernames and passwords, 869 to online payment processors and 553 to payroll processors.

The gang has not been caught.

"The fact that they've been in operation for over six years shows there's not a whole lot of risk to them," said Stewart, who has reported his discoveries to law enforcement officials. The evidence led to a city in the south of Russia; Stewart declined to name it, however.

US agencies, he added, "are on the case," but he was less optimistic about their Russian counterparts. "I don't know," he said when asked whether authorities in Russia were pursuing the gang. "But we need a lot more effort and cooperation to do anything about this."

The gang continues to fly under the radar. "The Coreflood botnet isn't as big as some of the bigger botnets, but all they need to do is clean out a large account every couple of weeks to make a good living," he said.

Stewart has posted some of his findings on the SecureWorks site.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?