Sophisticated Hackers Steal Millions from Private Equity Firms
The Florentine Banker, a group of sophisticated hackers, have targeted the biggest and most protected financial businesses on the planet in a scheme that takes months of surveillance and intricately infiltrates huge Private Equity firms and the large institutions that act as their counter-parties. In fact the Florentine Banker is so good at what they do that much of what they have stolen can not be determined even though it has been exposed how they do it.
The attacks were exposed by Check Point and included four separate bank transactions totaling $1.3 million, only half of which has been recovered. The attacks centered around three different Private Equity firms. After Check Point discovered the fraud they reverse engineered the attack, discovering multiple targets.
“The effort is enormous,” Check Point’s Lotem Finkelsteen said. “They had to learn the nature of a company, spot the relevant threads, purchase lookalike domains, impersonate both sides, establish relevant bank accounts, make the transaction, maintain mules to withdraw the money.”
The attack starts as most hacks do with emails phishing to uncover the finance chain within target PE firms. The attacks continue for weeks usually focusing on stealing credentials, Check Point says, “until the attackers gain a panoramic view of the entire financial picture of the company.”
Once they gain access via those credentials the Florentine Banker begins a stalking campaign using email rules within Office (now Microsoft) 365 to divert emails from specific senders or with specific subject lines to a folder they can monitor. That folder will likely have a system name most people ignore—“RSS feeds,” for example. The Florentine Banker “can spend days, weeks or even months on reconnaissance before intervening in the communications, patiently mapping the business scheme and procedures.”
“The level of sophistication of the attackers is very high,” Finkelsteen told me. “The attacker must fully understand the company. Who are the key people and their role, who does business with the company and at what scale, how are money transfers enacted. And, of course, the attacker who is in the middle, has to impersonate both sides in a manner that does not raise suspicion.”
Once the hackers find an email thread they can use, they use a lookalike domain to send an outward message and suddenly they are in direct communication with the counter-party. They now have what they need to initiate the actual theft. Since the attackers have picked a legitimate payee and have the ability to see communications between the parties sending the proper authorizations to the bank issuing the money becomes easy. In reality, a transfer can be manipulated either to or from a counter-party.
The Florentine Banker even caught some breaks along the way. “The attackers noticed a planned transaction with a third party, in which the firm suggested using a U.K. bank account to speed up the process. The receiving party reported they do not possess a bank account in the U.K.. The threat group provided one.”
The attack uncovered by Check Point used seven spoof domains, but the team found 39 other domains the attackers registered between 2018 and 2020. “We believe this is evidence that the group is marking additional targets,” Finkelsteen explained. Its attacks are so successful they are unlikely to stop after one hit.”
“The victims are carefully picked,” Finkelsteen told me. “This is not a random search for vulnerable organizations. They target organizations that invest or transfer big sums and then they work on them for months.”
“The attackers can initiate fraudulent activity with the third-parties with whom trust has been established, long after the main target has detected and removed the intruder from their network.”
Check Point warns any organization using Microsoft 365 should use double encryption and should also notify their business partners when security breaches occur.
“We keep saying ‘cybercrime organization,’” Finkelsteen cautioned. “But these attackers will not succeed without people who understand the targets, who can write in different languages, who have a field operation to collect the money. This is a complex operation, and hacking is just one aspect.” This is organized crime.