A sophisticated financial cybercrime campaign is targeting accountants at Russian companies, using compromised workstations and fraudulent salary payment orders to siphon millions of rubles from corporate bank accounts. According to reporting by The Record, the largest confirmed single theft in this campaign exceeds 14 million rubles (approximately $160,000 USD at current rates), with total losses across multiple victims running into the tens of millions.
The Attack Pattern
The campaign follows a consistent, well-refined playbook that blends technical intrusion with social engineering:
Step 1: Accountant Workstation Compromise
Attackers gain a foothold on the target by infecting the accountant's computer — typically through spear-phishing emails carrying malicious attachments or links, or via drive-by download from compromised financial or accounting-related websites. Once installed, the malware establishes remote access and begins monitoring the victim's banking activity.
Step 2: Banking Session Monitoring
With access to the accountant's machine, attackers observe legitimate banking sessions over days or weeks, learning:
- Which banking portal the company uses
- Standard payment patterns, amounts, and frequencies
- Authorized payee lists and salary schedules
- How the accountant authenticates (tokens, SMS OTP, etc.)
Step 3: Fraudulent Transfers Disguised as Salary Payments
At the optimal moment — often shortly before a legitimate payroll run when large transfers are expected — attackers inject or modify payment instructions to reroute funds to attacker-controlled accounts. The transfers are deliberately structured to mimic the format, timing, and amounts of normal salary payments, making them difficult to distinguish from legitimate payroll until the recipient employees fail to receive their salaries.
In some cases, attackers leverage banking trojans that intercept and modify payment details in real time as the accountant submits a legitimate transaction, substituting the destination account without the accountant seeing the change on their screen.
Why Accountants Are the Target
Accountants represent a uniquely valuable target profile for this type of attack:
| Factor | Why It Matters |
|---|---|
| Authorized banking access | Accountants hold credentials for corporate banking portals with high transaction limits |
| Routine large transfers | Regular salary runs, vendor payments, and tax payments make large outflows expected and unremarkable |
| Trust by finance systems | Payment instructions from accountants' workstations are trusted by internal controls |
| Salary payment camouflage | Salary-formatted transfers evade automated fraud detection tuned to flag unusual payee types |
| Time pressure | Payroll deadlines create urgency that reduces scrutiny of individual payments |
Scale and Impact
Russian law enforcement and cybersecurity researchers tracking this campaign have confirmed:
- Multiple Russian companies across various sectors have been victimized
- The largest single theft confirmed exceeds 14 million rubles
- Total stolen across identified incidents runs into tens of millions of rubles
- Many victims only discovered the fraud when employees reported missing salary payments
The delayed discovery is a key feature of the attack: by the time the fraud is identified, the funds have typically been transferred through multiple intermediary accounts and are difficult to trace or recover.
Attribution and Threat Actor Profile
The campaign does not appear linked to nation-state actors or geopolitically motivated groups. Based on the financial modus operandi, researchers assess this is the work of financially motivated cybercriminal groups with established infrastructure for:
- Phishing campaigns targeting corporate finance staff
- Banking trojan deployment and management
- Money mule networks for rapid laundering of stolen funds
This type of operation has parallels with Business Email Compromise (BEC) schemes targeting Western companies, adapted for the Russian banking ecosystem which uses different payment platforms and authentication methods.
Defensive Recommendations
Russian companies — and organizations globally with similar accountant-controlled payment workflows — should implement the following controls:
Technical Controls
- Endpoint detection and response (EDR) on all finance workstations with behavioral monitoring for banking sessions
- Application allowlisting on accountant workstations to block unauthorized executables
- Out-of-band verification for all payroll runs — confirmation via phone call or secondary channel before submission
- Read-only banking portals for accountants below a threshold — require a second approver for any transfer above a defined limit
Process Controls
- Dual authorization for salary and payroll transfers — two separate authenticated users must approve large batches
- Callback verification — before executing payroll, a manager or finance supervisor must verify the batch total via phone
- Reconciliation alerts — automated comparison of submitted payroll vs. previous cycle to flag unusual deviations
- Employee salary receipt confirmation — establish a process where payroll receipt failures from employees trigger immediate investigation
Detection Signals
| Signal | Action |
|---|---|
| Payment to new bank account formatted as salary | Hold for manual review |
| Bulk salary transfer submitted outside normal payroll window | Alert finance supervisor |
| Accountant machine accessing banking portal from new location or IP | Trigger step-up authentication |
| Banking trojan indicators on finance workstations | Isolate immediately, freeze pending payments |
Source: The Record — Cybercriminals hack Russian accountants to steal millions