The international police bodies Interpol and Europol, authorities from various countries and the IT security product firm Kaspersky Lab have combined to uncover a criminal plot behind what is claimed to be an unprecedented cyber robbery. For a full report visit the Securelist website.
Up to one billion American dollars was stolen in about two years from financial institutions worldwide. The authorities report that responsibility for the robbery rests with a multi-national gang of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China.
The Carbanak criminal gang responsible for the cyber robbery used techniques drawn from the arsenal of targeted attacks. The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users. Since 2013, the criminals have attempted to attack up to 100 banks, e-payment systems and other financial institutions in around 30 countries. The attacks remain active. According to Kaspersky Lab, the Carbanak targets included financial firms in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.
It is estimated that the largest sums were grabbed by hacking into banks and stealing up to ten million dollars in each raid. On average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money.
The cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way, the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity, to transfer money and cash out.
How money stolen
1) When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money was deposited with banks in China or America. The IT investigators do not rule out the possibility that other banks in other countries were used as receivers.
2) In other cases cyber-criminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: if an account has £1,000, the criminals change its value so it has £10,000 and then transfer £9,000 to themselves. The account holder doesn’t suspect a problem because the original £1,000 are still there.
3) The thieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the ‘voluntary’ payment.
Comments
Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, said: “These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”
Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said: “These attacks again underline the fact that criminals will exploit any vulnerability in any system. It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures. Identifying new trends in cybercrime is one of the key areas where INTERPOL works with Kaspersky Lab in order to help both the public and private sectors better protect themselves from these evolving threats.”
Industry views
Andy Settle, Chief Cyber Security Consultant & Head of Practice at Thales UK said that the Carbanak bank heist further demonstrates the capacity for criminals to execute sophisticated, multi-faceted cyber-attacks on a large scale. “To have incorporated so many different levels to achieve their goal, including hijacking physical security networks and remotely operating ATM machines, shows that this was meticulously planned to achieve optimum control for optimal results.
“Perhaps the most salient point for organisations is that this was only achieved due to human error. Without unsuspecting employees clicking on the spear phishing links, the criminals would never have been able to infiltrate and control the network, nor reap this immense amount of money. And they are in good company, as this was the same modus operandi for the attack on computer security giant RSA who’s staff also clicked on targeted malicious email in 2011.
“If anything, this illustrates that people will always present an organisation’s biggest weakness; no matter how good its technological defences are. Organisations need to ensure not only that they have confidence in the ability and integrity of staff and contractors, but that they have adequate measures to address matters when they do go wrong. This means in the first part – providing them with comprehensive cyber education to avoid similar mistakes, and the austere repercussions and reputational damage that they bring, occurring on their own doorstep. But when all is said and done, organisations have to learn to accept that they are made up of humans and not machines.”
Dave Hartley, Managing Security Consultant at MWR InfoSecurity, said: “The UK security industry has been prepared for this ‘levelling-up’ of the cyber criminal fraternities and the increased cyber threat. Measures are already in place to deal with the problem, and have been for some time.
“UK financial institutions submit themselves to simulated targeted attacks designed specifically to emulate the activities of real world hackers in order that they can better defend their systems when the attack comes for real. This is performed as part of the CBEST/CSTAR schemes. The financial sector in the UK benefits from a scheme that is specifically designed to help financial organisations, but is also available to all commercial sectors of trade and commerce, to combat advanced threat actors and increase their cyber resilience to such targeted attacks.
“The scheme is known as CBEST and CSTAR, and MWR has been successfully assessed to supply penetration testing services as part of the scheme. CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The public can have every confidence in the financial institutions engaged in the scheme to be doing everything they can to protect themselves and the public’s finances.
“MWR has worked with commercial and financial organisations for many years. Security is a cost of doing business, and this has been the case for a long time, and will continue to be so. An increased spend in such economically unstable times for many is unlikely, what is much more likely and a more sensible, frugal and smarter spend is a cyber security program that combines human intelligence with technology solutions.
“It comes as no surprise to MWR that the initial foothold that was obtained by the attackers was via a phishing attack; this technique continues to be a winning strategy over and over again. MWR’s Phish’d service is a testament to this reality. When we run controlled phishing assessments against our clients for the first time, we often see a 60% success rate. This falls dramatically in subsequent engagements. What may come as a surprise to some is how long the attackers maintained their access for, unnoticed. If the initial compromise has been missed, there is a small window of opportunity for the defensive team within the compromised organisation to react, if they are looking for the right indicators of compromise (IOC).
“It is very likely that the compromised finance firms relied on numerous SIEM solutions to defend their environments. The breaches however illustrate that reliance on technology alone is not going to get the job done. A motivated and creative human attacker will almost always beat off-the-shelf compliance driven defences. MWR’s cyber defence and incident response teams (one of the select few appointed by GCHQ and CPNI to be part of the UK Cyber Incident Response scheme) have found when working with clients to defend / respond to similar attacks, that they are almost impossible to detect, if you don’t have the right human intelligence augmenting deployed defensive technologies.
“The funds transfer systems employed by financial organisations have many moving parts. Contrary to popular belief, it’s not that easy to siphon out cash, not at the push of a single button at least. There are a number of digital and physical stacked safeguards, countermeasures and processes in place. This is why the attackers observed the bank’s employees for so long. MWR’s methodology when contracted to conduct simulated exercises of this nature, is very similar to that employed by the attackers. It takes a long time to fully understand the inner workings of a financial institution and their procedural and digital nuances. For example a transfer of £100,000 to a fraudulent account may go unnoticed in an institution that is used to transferring in excess of £100,000 per transfer, however in another organisation that amount wouldn’t be authorised and would actually set the alarm bells ringing. These rules are personal to each financier.
“The tradecraft employed differs from attacker to attacker, however in principle most apply a similar approach. Once an initial foothold is obtained, the threat actor will perform internal reconnaissance looking to identify opportunities for lateral and vertical movement within the network. They’ll also begin to locate key systems and escalate their privileges. Once this activity is complete, they will often go very quiet, and wait and watch. A SIEM run by a competent team of security professionals, who are threat intelligence driven and who understand the threats to the business, can defend the network. An augmented intelligence driven approach is key.”
Kevin Epstein, VP of Advanced Security and Governance at Proofpoint called it a classic attack, remarkable only for the level of loss — which he claimed is unlikely to remain record-setting for long. He said: “We see and block these attacks every hour of every day. Banking malware and phishing tactics are evolving faster than banks gateway appliances can update. The magnitude should serve as a wakeup call for any institution not yet using modern cloud-based targeted attack protection and threat response systems. For companies only using legacy anti-spam systems, it is only a matter of time — possibly hours — until the next such breach.”
“The Carbanak news may initially be seen as simply another security breach. However, what is especially important about this is that its sophistication perfectly highlights how quickly threats are now evolving – if you were going to draft the definition of a modern cyber attack, this would be it. The potentially huge losses stem from a series of attacks that seem to have been working away for two years. This is not the “quick fire attack” of old.”
Rob Norris, Director Enterprise & Cyber Security, Fujitsu UK and Ireland, said: “Aside from the financial losses, these threats are very damaging because they can impact consumer confidence at a time when banks are trying to encourage customers to ‘go digital’ and thereby potentially give any hacker access to even more personal data. According to our own research, more than one in five of us will always use a digital service when it is offered by an organisation. Yet concerns are still rife currently. Of the 12% UK consumers who said they never use digital services when offered, the second highest reason given for this was security concerns.”
“With 52pc of IT decision makers stating that they are concerned about security, the changing threat landscape calls for organisations to prepare. To do this effectively they need to focus on what’s important to them and the related threats which will have the most impact on them. Many organisations can be panicked by industry noise created by issues, which often will not impact them. Instead they need to take a risk-based approach, enabling them to target security capabilities in a way which helps them defend against those threats which actually pose a risk to their business. The basics are also essential and should include strong passwords, two-factor authentication, patching, risk assessments and IT health checks.”
Richard Cassidy, technical director EMEA at Alert Logic, said: “It’s clear that over the past decade spending on IT and – more specifically – security has been increasing at an exponential rate. We’ve also seen a tectonic shift in mindsets from a security perspective within the finance sector generally; not least because of the proliferation of threats many of which were highly publicised. Overall this means that banks are incorporating security practices at the forefront of I.T spend and looking to adopt better practices through new technologies and services.
“Unfortunately given the proliferation of successful attacks across our financial industry, it is clear that further investment is needed or at the least re-focus in how effectively existing budgets are being utilised. The main challenge organisations face today is that hacker cells have become incredibly sophisticated at how they target and infiltrate victims. In many respects the industry is a victim of the rate at which existing technologies have matured, making it extremely hard to infiltrate target networks through legacy channels; Gone are the days of old “smash-and-grab” heists – we now face a new age were hackers are having to work much harder and smarter in getting through the front door, taking their time to profile their targets, understanding the weakest links and ultimately focusing on the tried and tested methods of social engineering through targeted spearphising campaigns and malware embedded in malicious e-mail links or files. All said however, the industry is not doing our finance organisations any favours with code exploits seen at an alarming rate in our most used web based and office applications, many of which are “zero-day” threats that existing point security solutions can be very ineffective alone at detecting.
“Financial organisations need to re-focus on how they can monitor their organisation I.T infrastructure (users and technology) for threat and non-compliance activity, as opposed to spending more on technology itself. Looking to invest in services around security, where data transactions are monitored 24×7 for indicators of compromise or threat and non-compliance activity by organisations whose sole focus is on detecting such activity and who themselves invest heavily in threat intelligence and analytics across the industry as whole. If partnership with external services based companies is not your ‘cup-of-tea’, then looking to build out internal security operation centres manned 24×7 with access to real-time threat intelligence has to be an area of focus for IT spend, however one would question how fast an finance organisation could scale to ensure effectiveness of such a service internally, without the increased risk of further data-loss and/or breaches in the interim. The fact of the challenge is that it’s less about technologies themselves and more about data-analytics of the content those technologies provide in real-time, that is the answer to detecting the new age of “zero-day” threats.
“Ultimately if financial organisations continue to lose data or suffer breaches at the rate we are seeing over the past 12 months, then it’s the consumer that will end up paying more. Not least in terms of collateral damage where our personal data is now being sold on the underground markets or released to the public domain, but also in terms of these organisations looking to spend more reactively in trying to protect themselves most likely by continuing spend without a change of IT security strategy. We have a lot to learn in the financial sector from each and every breach suffered in the industry – the smart money will be spent on deep analysis of how successful breaches proliferated and understanding the “anatomy of defence” against these attackers, looking to methodologies built around things such as “the kill chain for intrusion detection” and how our own processes and capabilities map, thus revealing our areas of weakness and where focus needs to be applied.”
Dwayne Melancon, CTO of Tripwire, said: “This is a clear example of how most enterprises fall short in detecting damaging changes to their cyber infrastructure. Malware leaves a trace when it compromises a system – even custom malware. Unfortunately, most of the times, that mark goes unnoticed because enterprises haven’t established a baseline, or known good state, and aren’t continuously monitoring for changes to that baseline. Not only does this lack of awareness make it easier for criminals to gain a foothold, it makes it difficult, time-consuming, and very expensive to determine which systems can be trusted after-the-fact, and to determine how to remove the contaminated systems from the network.
“This should be a wake-up call for enterprises to take a step back and make sure they nail the fundamentals: maintain an accurate inventory of all the devices and applications on your network; reduce your attack surface by ensuring that all your systems and applications are configured securely according to a well-vetted security standard; scan for and patch any known vulnerabilities; and continuously monitor for changes and unusual behaviour within your network.”
Neil Costigan, CEO BehavioSec, said: “It’s not only the scale of the attacks that will ring alarm bells, but the type – each “bank robbery” is reportedly taking between two and four months. We are no longer talking about one man with a balaclava, but protracted, sophisticated, patient attacks, with criminals lurking for months to learn the banks’ systems. This approach is viable, so long as the banks rely on outdated, “one off” authentication requests. The majority of these attacks play on the simple fact that if the intruder can get hold of the key to the front door, they are free to peruse the contents of the house, safe in the knowledge that no-one will challenge their identity once they’re in. As soon as the user verification is a one-off in this way, there’s a risk. Hackers can ‘learn’ systems, though no amount of observation will enable them to mimic the nuances that are detected through continuous behavioural monitoring and authentication. We cannot simply map old security techniques onto today’s digital age and expect them to work. New points of weakness require new defences.”
And Mark Bower, VP Product Management, Voltage Security, said: “Cybercriminals have got the infection-to-cash cycle down to a fine art, proving crime does pay when the victim’s perimeter can be bypassed and systems manipulated at will. Today, there are few defenses against this level of attack sophistication – but new methods have emerged to fight back, especially data-centric security which works by making stolen data completely useless to the criminal who steal it.
“If the data driving transactions, ledgers, and balances is encrypted at the data field level with modern Format-Preserving Encryption methods, as opposed to the storage level encryption which does not mitigate these threats, the data can be securely armoured so that data tampering without invoking multiple alarms or errors when it is manipulated is practically impossible. This technique is already in place in leading banks, payment processors and Healthcare networks today as a primary defence against advanced threats and the data breach risks they entail.”
