Cybercriminals Target Accountants - Millions Stolen from Firms
Significant risk — action recommended within 24-48 hours
Basically, hackers trick accountants into transferring money to them by pretending it's for salaries.
Cybercriminals are targeting accountants in Russian firms to steal millions by disguising fraudulent transfers as salary payments. This highlights serious vulnerabilities in financial security.
What Happened
Cybercriminals have launched a sophisticated attack targeting accountants in Russian firms, stealing millions by disguising fraudulent transfers as salary payments. Researchers from the cybersecurity firm F6 reported that the group known as Hive0117 executed these attacks between February and March 2026, affecting over 3,000 organizations.
How It Works
The attackers utilized phishing emails to compromise accountants' computers. These emails appeared legitimate, often sent from compromised accounts, and contained password-protected attachments masquerading as routine business documents. When victims opened these files, they unknowingly executed a hidden malware file, which installed DarkWatchman, a remote access trojan.
Once the malware was active, attackers gained covert control over the infected systems, allowing them to access corporate online banking portals. They created fraudulent payment orders that looked like legitimate salary transfers, routing funds to accounts they controlled. The largest theft reported exceeded 14 million rubles (around $178,000).
Who's Being Targeted
The primary targets of this campaign are accountants and finance departments within Russian companies. This focus on financial personnel highlights the vulnerability of corporate finance systems to social engineering tactics.
Signs of Infection
Organizations should be vigilant for signs of phishing attempts, especially emails that contain unexpected attachments or requests for sensitive information. Indicators of compromise include:
- Unusual login activity from accounting systems
- Unexpected transactions in bank accounts
- Reports of employees receiving suspicious emails
How to Protect Yourself
To safeguard against these types of attacks, companies should implement the following measures:
- Employee Training: Regularly educate staff on recognizing phishing attempts and suspicious emails.
- Email Filtering: Utilize advanced email filtering solutions to detect and block malicious emails before they reach employees.
- Multi-Factor Authentication (MFA): Enforce MFA for access to corporate banking systems to add an extra layer of security.
- Regular Audits: Conduct regular audits of financial transactions to quickly identify any unauthorized activities.
Conclusion
The Hive0117 group has been active since late 2021 and has previously targeted various sectors beyond Russia, including Lithuania and Kazakhstan. Their operations demonstrate a persistent threat to corporate finance departments, emphasizing the need for robust cybersecurity measures to protect sensitive financial data.
🔍 How to Check If You're Affected
- 1.Monitor for unusual login attempts in financial systems.
- 2.Check for unexpected transactions or payment orders.
- 3.Review email logs for phishing attempts targeting finance staff.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: This attack strategy underscores the critical need for enhanced cybersecurity training within finance departments to combat social engineering threats.