Great Cyber Bank Heist: $1 Billion theft highlights danger posed by financial cyber threats


By Bill Gertz
Banks and financial institutions around the world were hit in a major cyber attack by criminals using nation-state-level malware that siphoned off an estimated $1 billion in cash, highlighting the growing cyber threat to financial institutions.

A report by the Russia-based Kaspersky Lab security firm, “The Great Bank Robbery” warned the attacks, which began in late 2013, are ongoing. The report identified the methods used by the cybercriminals as widely used spear-phishing emails that loaded sophisticated espionage malware into networks after unsuspecting victims clicked on the infected links.

The attacks affected financial firms in Russia, the United States, Germany, China, Ukraine and other states. None of the firms were identified by name.

Law enforcement agencies and the financial institutions that were victimized in the attacks face “cumulative losses of up to $1 billion,” the report said, putting the crime spree at the top of the world’s most costly cyber attacks.

“These attacks again underline the fact that criminals will exploit any vulnerability in any system, said Sanjay Virmani, director of INTERPOL’s Digital Crime Center. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”

The security report concluded that the attacks “represent a new and disturbing trend in the cybercrime market of increasing attack sophistication.”

The identity of the hackers was not identified but speculation centers on Russian or Eastern European cyber crime groups, or possibly a Chinese crime gang. Some of the money was sent to Chinese banks, an indication of an Asian link.

“The motivation for the attackers, who are making use of techniques commonly seen in [nation-state threats], appears to be financial gain as opposed to espionage,” the report said.

The staggering losses of tens or hundreds of millions of dollars to cyber criminals represent a new level of financial cyber threat, one that extends beyond industrial-scale crime. Analysts say this level of financial attack presents strategic economic and national security risks that should be an important wake-up call for financial institutions.

Technically, the crime gang used false emails disguised as legitimate banking communications infected with Microsoft Word 97-2003 documents (.doc) and Control Panel Applet (.CPL) files.

The hackers were able to exploit vulnerabilities within Microsoft Office and Microsoft Word software. The software holes allowed the implantation of back door software known as Carbanak.

“Carbanak is a remote backdoor (initially based on Carberp), designed for espionage, data exfiltration and to provide remote access to infected machines,” the report said. 

(SecureList blog)

Once inside, the hackers conducted reconnaissance and mapped the networks. They then gained access to critical network infrastructure and installed additional malware that allowed digital roaming that allowed them to access to money processing services, Automated Teller Machines (ATM) and financial accounts.

Some of the attacks involved the use of Society for Worldwide Interbank Financial Telecommunication (SWIFT) networks that allowed them to transfer money to designated accounts. Other attacks used Oracle databases that were capable of manipulating open payment or debit card accounts at the same bank or to transfer money between accounts using the online banking system.

Additionally, ATM networks were used to retrieve cash from machines and human “mules” collected it.

The attackers used video recordings of bank employees and system administrators, most likely to record their input of passwords or other security communications involved in banking and funds transfers.

The security firm estimated that half the 100 banks and financial institutions struck by the cybercriminals, half took multi-million dollar losses. One bank lost $7.3 million ATM fraud and another was taken for $10 million through the exploitation of its online bank program.

The criminals moved the funds to banks in the United States and China.

“Telemetry indicates that the attackers are expanding operations to other regions, such as Asia, the Middle-East, Africa and Europe,” the report said.

“Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies,” the report concludes.

Banks that have relied on advanced control and fraud detection were targeted at spotting fraud within customer account. The Carbanak cyber gang was able to bypass the fraud protection by using the SWIFT network, updating balances for account holders and using the ATM networks.

“In neither of these cases did the attackers exploit a vulnerability within the service,” the report said. “Instead, they studied the victim ́s internal procedures and pinpointed who they should impersonate locally in order to process fraudulent transactions through the aforementioned services.”

“We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers,” the report said adding that sophisticated cyber spying is “not only for stealing information anymore.”

Many security analysts in the United States remain wary of Kaspersky Lab because of its links to Russia. The company was founded by Eugene Kaspersky, who worked for the Russian military before launching Kaspersky Lab in 1997.
Feb. 22, 2015