Security experts have uncovered a major targeted attack campaign in which criminals infiltrated around 100 banks worldwide and made off with up to $1bn over a two-year period.
Interpol, Europol, local law enforcers and Kaspersky Lab worked together on the case.
They estimate that the hackers – who hail from Russia, Ukraine, Europe and China – stole up to $10m per raid, with each attack lasting between two and four months.
The attacks are said to begin with a classic spear phishing email sent to a bank employee, infecting them with the Carbanak malware.
Once in the bank’s internal network, the hackers searched for administrator machines which allowed them to monitor cash transfer activity. They were then able to mimic that same activity at a later stage to transfer money out to themselves, according to Kaspersky Lab.
Sometimes they used online banking or international e-payment systems to transfer the funds out to accounts in the US and China.
On other occasions they would hack a victim bank’s accounting systems, inflating customers’ account balances by adding some extra zeros and then stealing the extra funds via a fraudulent transaction.
A third method of stealing cash was apparently to program specific ATMs to dispense money at certain times and then arrange for a gang member to collect it.
“These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent,” said Kaspersky Lab principal security researcher, Sergey Golovanov.
“The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”
David Flower, EMEA managing director of Bit9 + Carbon Black, argued that organizations must implement continuous monitoring on the network and every endpoint to help spot targeted attacks.
“Yet collection is even more critical than detection; it is not enough to just know that a breach has occurred, you need to be able to track the ‘kill chain’ of what the threat actor did in order to understand your level of risk exposure following a breach,” he said.
“Being able to collect data and conduct a forensic examination of what has happened – identifying what files they have accessed and possibly exfiltrated, whether they’ve tried to access other machines, how they gained access, how any malware may have morphed or hidden itself, etc. – will help to determine the intent of the attack and the full impact of the breach.”
Alan Cohen, COO of security vendor Illumio, argued that attacks like Carbanak are very difficult to detect, especially when machines appear to be operating within policy, but are actually being controlled by external hackers.
“Enterprises need to increasingly lock down the communications and patterns of their server, lower the attack surface available through open ports and communications channels, and reduce the lateral spread of attacks,” he explained.
“Modern security teams know hackers will get in. So, they watch them. When you reduce the real estate that the hackers have the ability to move in, it also reduces the overhead on the security teams who are watching them so they have a higher probability of catching issues just by virtue of having less attack space to monitor.”
Paul Glass, senior associate at international law firm Taylor Wessing, explained that the attackers used whitelisted sysadmin software to further hide their activities.
“Regulators will want detailed explanations from the affected banks as to how access was obtained, the extent of compromise of each bank's systems, and how such a serious attack went undetected for many months,” he added.
“The clean-up operation within affected banks will be enormous."