This article was originally published on February 23, 2015.
How do you get money out of the bank? If you’re like most people, you head to the nearest ATM or talk to a teller for larger amounts. If you’re in a hacker group like Carbanak or Anunak, meanwhile, you’ve got a slightly different method: Break into a bank’s network and steal money from every platform available. According to New Scientist, hackers have already grabbed up to $1 billion from banks in Russia and Ukraine, and more financial institutions may be targeted in the coming months. So here’s the billion-dollar question: What happened, and could it happen here?
Follow the Money
As reported by CNN, the hack all started with — you guessed it — malware-laced emails. Hackers sent wave after wave to bank employees, hoping that one would download and open the malicious attachment. To no one’s great surprise, this is exactly what happened. The malware itself didn’t give direct access to financial systems, since employee computers were not admin-level machines. Instead, the code gave attackers full access to any email exchanges, the ability to infect other computers and control over a crude “camera” which let them capture screen images to see passwords and other safeguards. Eventually, the hackers found an admin terminal and were able to push their way into teller machines and tools like the interbank network SWIFT (Society for Worldwide Financial Telecommunication), allowing them to quickly move funds from account to account. They also learned how to avoid specific security measures and kept theft at any one bank below $10 million to avoid triggering volume-based cash-loss alarms.
Security firms like Kaspersky Lab got involved when clients called to complain about ATM machines acting up — dispensing cash at seemingly random times. In fact, the cash was picked up by willing hacker mules, letting the Carbanak group get away with $7.3 million from a single bank. Late last year, the security firm was called by a high-profile CIO who had discovered information from his bank network being shunted to a C&C server in mainland China. Kaspersky found malware in the system based on backdoor tool Carberp, designed for espionage and system infiltration. Now, the number of banks infected is on the rise as everything from online platforms to ATMs to basic account creation tools have been compromised.
So Dumb It’s Smart?
As noted by the New Scientist piece, the way in for attackers was quite “dumb” — they relied on tried-and-true spear phishing attacks coupled with unending waves of spam email. In most cases, however, once a zombie machine is created the hackers go for broke and grab everything they can before IT security notices there’s anything amiss. Next, attack code is repackaged and the process starts over at a new bank. Not so with Carbanak and Anunak; these hackers got inside and then waited for months, lurking in the shadows until they were sure they knew exactly what to do without getting caught. In fact, a recent BBC article quotes one Kaspersky director as saying “this is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.” In other words, this is a big step forward for malware — and a big red flag for banks.
Familiarity Breeds Contentment
Here’s the real worry: Most banks and consumers are familiar with common attack vectors. Users are constantly told to be mindful of their passwords and take precautions such as using a secure VPN when visiting bank sites or entering secure information. Banks, meanwhile, educate employees on the need for email intelligence and are constantly monitoring their systems for signs of infection. The result is that breaches like last year’s JP Morgan Chase hack have become almost commonplace; personal information such as passwords and card numbers are stolen, and banks promise to do better next time. The Carbanak hack, meanwhile, points to something more sinister: Hackers going after money directly after first breaking into the bank, surveying the landscape and then making their move. While customer-focused attacks might erode user confidence, this kind of money-first malware has the potential to derail banks entirely.
So far, Carbanak and Anunak have stayed mostly in Eastern Europe, but there’s now evidence that banks in Germany, China and the USA are at risk. Knowledge of what’s coming should help prevent the same kind of monetary loss, but the money isn’t what really matters here — a new class of bank malware has emerged, and criminals are willing to invest.