It reads like a movie script, a real-life Hustle. A team of sophisticated cyber criminals has been stalking private equity firms, monitoring internal systems, diverting emails, hijacking relationships, interpreting and even initiating wire transfers to steal millions of dollars from multiple organizations.
The attack, exposed by Check Point, intercepted four separate bank transactions totalling $1.3 million. Those particular victims were three PE firms, with only half the money recovered. Check Point then reverse engineered the attack, discovering a vast array of targeted victims. It is unknown how many have already been hit.
The report lifts the lid on the how this attack group—dubbed the Florentine Banker—injects itself into a firm’s confidential business operations and then proceeds to execute financial transactions. “The effort is enormous,” Check Point’s Lotem Finkelsteen told me. “They had to learn the nature of a company, spot the relevant threads, purchase lookalike domains, impersonate both sides, establish relevant bank accounts, make the transaction, maintain mules to withdraw the money.”
The attack starts simply enough. Persistent spear phishing aimed at the finance chain within target PE firms, using multiple angles to steal credentials. The attacks persist for weeks, Check Point says, “until the attackers gain a panoramic view of the entire financial picture of the company.”
Then the sophistication of the attack kicks in. Able to read emails between the target firms and third parties, a stalking campaign begins, looking for the right opportunity to execute a material theft. This might be a request for bank details or payment, something that would pass finance checks internally, or even a newly instigated transfer if they can get away with it.
“The level of sophistication of the attackers is very high,” Finkelsteen told me. “The attacker must fully understand the company. Who are the key people and their role, who does business with the company and at what scale, how are money transfers enacted. And, of course, the attacker who is in the middle, has to impersonate both sides in a manner that does not raise suspicion.”
The really clever twist is that with a plan in mind, the attackers use email rules within Office (now Microsoft) 365 to divert emails from specific senders or with specific subject lines to a folder they can monitor. That folder will likely have a system name most people ignore—“RSS feeds,” for example. The Florentine Banker “can spend days, weeks or even months on reconnaissance before intervening in the communications, patiently mapping the business scheme and procedures.”
The use of these email folders buys the attackers time, and allows them to ferment their plan—they don’t need to move quickly, they can pick their timing. They do need to continue the conversation, though. So once they have an email thread they can use, they use a lookalike domain to send an outward message, assuming the recipient won’t notice the change. A letter change, an odd character, and suddenly they are in direct communication with the counter-party.
With that done, it’s payment time. This introduces a new level of risk and complexity. The firm’s bank will have approvals that won’t be trapped by spoofed domains. But that’s fine. The attackers have picked a legitimate payee. And they can still intercept internal communications with diverted email folders to provide approvals, sending the right authorizations to the bank issuing the money. In reality, a transfer can be manipulated either to or from a counter-party.
The Florentine Banker even caught some breaks along the way. “The attackers noticed a planned transaction with a third party, in which the firm suggested using a U.K. bank account to speed up the process. The receiving party reported they do not possess a bank account in the U.K.. The threat group provided one.”
According to Check Point, the attack they intercepted was all set to swindle around $1.3 million, around half of which they recovered. This, though, is likely the tip of the hustle iceberg. That one attack used seven spoof domains, but the team found 39 other domains the attackers registered between 2018 and 2020. “We believe this is evidence that the group is marking additional targets,” Finkelsteen explained. Its attacks are so successful they are unlikely to stop after one hit.” None of the details are being made public to protect the firms involved. It is simply to establish likely victims given those domains, and those firms have been contacted and warned.
Check Point does not know the nationality or potential affiliations of the Florentine Banker group, but does draw parallels with a report it published last year on a simpler attack on venture capital firms distributing seed money. “The victims are carefully picked,” Finkelsteen told me. “This is not a random search for vulnerable organizations. They target organizations that invest or transfer big sums and then they work on them for months.”
Check Point warns that it’s not only the PE firms that are at risk here, the counter-parties will also find themselves vulnerable. “The attackers can initiate fraudulent activity with the third-parties with whom trust has been established, long after the main target has detected and removed the intruder from their network.”
Any organization using Microsoft 365 needs to ensure two-factor authentication is enabled. And wire transfers, which have proven especially lucrative for cyber criminals, need to have a secondary verification route that bypasses the chance of compromised systems—certainly when of a material value. Check Point also warns organizations discovering such compromises to inform their business partners.
This is organized crime. The hacking component forms part of a complex operation that goes beyond phishing and credential theft, email diversions and transfer protocols. “We keep saying ‘cybercrime organization,’” Finkelsteen cautioned. “But these attackers will not succeed without people who understand the targets, who can write in different languages, who have a field operation to collect the money. This is a complex operation, and hacking is just one aspect.”