The Great Cyber Bank Robbery
The great cyber bank robbery of 2015 reached into twenty-nine top Russian banks and is now infamously known as the “Carbanak” criminal gang. The use of long standing APT tools, and the sophisticated computer entry with spear phishing emails into bank browsers allowed invasion of malicious malware.
Once the victims made a request, Kaspersky Lab went to work with Interpol in January 2015 to uncover the hackers. A multinational group of three separate cybercriminals was uncovered. They had performed the cyber bank heist and stole one billion American dollars over a period of two years. Their criminal plot was traced back to 2013 and discovered cyber theft of over one hundred banks in thirty countries around the world.
Arrests have led to the capture of cybercriminals from Russia, Ukraine and other parts of Europe, as well as from China. The Carbanak criminal gang responsible for the cyber robbery used several techniques drawn from the upgraded computer playbook for cyberattacks. This level of cybercrime marks a new era in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.
Kaspersky Lab and its Global Research and Analysis Team investigation revealed three separate groups of hackers who inflicted multiple millions in terms of financial damage to the banks. At the Security Analyst Summit 2016, experts from Great presented an investigation report. For future security sake names of the victims have remained anonymous.
Here is a summary from Interpol Global Complex from actions taken in April 2015 when they simultaneously seized servers in the Netherlands and inactivated servers in US, Russia, Luxembourg and Poland.
This is expected to significantly disrupt the botnet’s operation. It will increase the cost and risk for cybercriminals intent on continuing their illegal business and will prevent victims’ computers from participating in malicious schemes.
Simda is a “pay-per-install” malware used to distribute illicit software and different types of malware, including those capable of stealing financial credentials. The pay-per-install model allows cybercriminals to earn money by selling access to infected PCs to other criminals who then install additional programs on it.
Simda is distributed by a number of infected websites redirecting to exploit kits. The attackers compromise legitimate web sites/servers so that the web pages served to visitors include malicious code. When users browse these pages, the malicious code silently loads content from the exploit site and infects a non-updated PC.
The Simda botnet has been seen in more than 190 countries, with the US, UK, Russia, Canada and Turkey being the worst affected.
The bot believed to have infected 770, 000 computers worldwide, with the vast majority of victims located in the US (more than 90,000 new infections since the start of 2015).
Active for years, Simda had been increasingly refined to exploit any vulnerability, with new, harder to detect versions being generated and distributed every few hours. At the moment, Kaspersky Lab’s virus collection contains more than 260,000 executable files belonging to different versions of Simda malware.
The unprecedented level and depth of the cyberattack was noted in February 2015 by Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team:
These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.
The Carbanak team continued to surface throughout 2015.
Today, the update report from Kapersky and the experts from the Global Research and Analysis Team, GReAT, delivered an investigation report. For future security sake the victims’ identity has not been disclosed. The ATM is the end game play for the cybercriminals.
The team found a banking Trojan with the name of Metel, known also as Corkow, was a malware for hunting users of online banking systems. The bank criminals went into full attack in 2015 and yielded massive infiltration.
The clever attack upon a card infected the entire system and rolled back the transaction to display no change in balance. The ATM allowed the criminals to steal cash available in the ATM and they repeated the action at the next series of bank ATM locations.
Next step for the criminals led to transferring money to e-currency services. The criminal members infiltrated the devices of HR and related accounting personnel and waited until the system administrator logged into the system. If the criminals wanted to move faster on the theft, they crashed the Microsoft Word or 1C (program used in Russia). Once the system administrator called in the problem, the criminals stole the password and went on to more criminal cyber theft.
At the end of the investigation, Carbanak cybercriminals still lurk and reappear from time to time. Kaspersky Lab solutions insures the protection of all known malware through its detection and disarmament systems created by the known Cabanak, Metal and GCMAN criminal groups.
Featured image from Shutterstock.