Hackers responsible for recently compromising financial organizations around the globe purposely included Russian words and commands in their malicious code in a bid to befuddle investigators, cybersecurity researchers said Monday.
Researchers from BAE Systems have been at the forefront of investigating a hacking operation in which malicious actors targeted dozens of financial organizations in over 30 countries, then infected its victims with malware that siphoned data from the computer networks of compromised banks.
In offering an update of its investigation Monday, BAE researchers wrote that the hackers responsible deliberately inserted Russian words into their malware in order to confuse investigators and obfuscate the origin of the attacks.
“In spite of some ’Russian’ words being used, it is evident that the malware author is not a native Russian speaker,” Sergei Shevchenko and Adrian Nish wrote in a blog post published by BAE this week.
According to the researchers, multiple inconsistencies with respect to specific word choices embedded in the malware allowed them to conclude that Russian was “likely used as a decoy tactic, in order to spoof the malware’s country of origin.”
“Through reverse-engineering, we can see the use of many Russian words that have been translated incorrectly. In some cases the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a ’false flag,’” the researchers wrote.
“Clearly the group behind these attacks are evolving their modus operandi in terms of capabilities – but also it seems they’re attempting to mislead investigators who might jump to conclusions in terms of attribution,” the BAE researchers acknowledged Monday.
Please read our comment policy before commenting.