Carbanak cyber gang stole hundreds of millions from banks

Since late 2013, an international cyber criminal group has been targeting banks around the world and has made off with $300 million – possibly even more – by compromising the banks’ systems with malware and using the information gleaned via it to their advantage, Kaspersky Lab has revealed to the NYT.

The gang, which includes Russian, Chinese and European individuals, continues to operate to this day and, according to the company’s research, they are not sponsored by a nation state but are regular cyber crooks that specialized in this particular approach.

The targeted financial institutions are located mainly in Russia, but Japanese, US and European banks have also been hit.

The gang – dubbed Carbanak by the researchers – usually starts their attacks with spear-phishing emails sent to bank employees, who are instructed to open the enclosed attachment. Unfortunately for them, the attachment contains malware, which the hackers use infiltrate the bank’s networks and do extensive reconnaissance about the inner workings of the bank.

Armed with that knowledge, they are able to masquerade their actions as those of employees, and extract funds in a way that won’t raise an alarm.

For example, by impersonating the employees the criminals would inflate an account’s balance, then transfer the extra money to an outside account. The legitimate owner of the account and the bank would usually not notice immediately what happened, because the legitimate funds were still there.

Another effective way to extract money was to instruct ATMs to dispense cash to an associate of the gang at a predetermined time. Apparently, one Kaspersky client lost $7.3 million through ATM withdrawals alone.

Kaspersky Lab shared their findings with law enforcement around the world, and investigations have been mounted. Industry associations have also been notified and they have, in their turn, informed affected banks and warned non-affected ones about the danger. Still, no bank has come forward and publicly acknowledged a breach.

“The figures released by Kaspersky today should make banks all over the world look up from their morning coffee. It’s not only the scale of the attacks that will ring alarm bells, but the type – each ‘bank robbery’ is reportedly taking between two and four months. We are no longer talking about one man with a balaclava, but protracted, sophisticated, patient attacks, with criminals lurking for months to learn the banks’ systems. This approach is viable, so long as the banks rely on outdated, ‘one off’ authentication requests,” commented Neil Costigan, CEO of BehavioSec.

“The majority of these attacks play on the simple fact that if the intruder can get hold of the key to the front door, they are free to peruse the contents of the house, safe in the knowledge that no-one will challenge their identity once they’re in. As soon as the user verification is a one-off in this way, there’s a risk. Hackers can “learn’ systems, though no amount of observation will enable them to mimic the nuances that are detected through continuous behavioural monitoring and authentication. We cannot simply map old security techniques onto today’s digital age and expect them to work. New points of weakness require new defences.”

In late December, Group-IB and Fox IT, in a joint research effort, released a report about the Anunak hackers group. This group has been involved in targeted attacks and espionage since 2013. It looks like Anunak and Carbanak are the same gang.