An operation by Europol, the FBI and multi-national authorities has seen the leader of the crime gang behind the Carbanak and Cobalt malware attacks arrested.
The criminal operation is reported to have hot banks in more than 40 countries and cost €1bn since it first appeared in late 2013. Initially beginning with the Anunak malware, which targeted financial transfers and ATM networks of financial institutions, this was later updated to Carbanak and was used until 2016.
“In all these attacks, a similar modus operandi was used,” the report said. “The criminals would send out to bank employees spearphishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”
The international police cooperation, coordinated by Europol and the Joint Cybercrime Action Taskforce, was central in bringing the perpetrators to justice, with the owner, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), said: "This global operation is a significant success for international police cooperation against a top level cyber-criminal organization.
“The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cyber-criminality.”
Craig Young, computer security researcher at Tripwire, added: “These attacks were among the most sophisticated publicly reported bank robberies. The attackers used their malware to embed themselves into financial institutions where they would study processes and mannerisms for months before making a move to steal money. This allowed the attackers to simulate legitimate behavior so that they could siphon millions of dollars from a single institution without immediately raising alarms.”
Ross Rustici, senior director of intelligence services at Cybereason, called this “positive news for cybersecurity across the globe” as the manner in which this individual was caught continues to demonstrate the importance of public-private partnerships and the global nature of cybercrime.
“The inclusion of police agencies in at least five different countries demonstrate how difficult it can be to track a single actor through all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals,” he said.