The theft of up to $1bn from financial institutions worldwide, in the most daring cyber crime of its kind to date, underlines the need for continuous monitoring and faster intrusion detection, say security experts.
Some believe the attacks mark a new phase in the evolution of cyber criminal activity, raising the bar even further for information security professionals.
Up to 100 banks, e-payment systems and financial institutions in around 30 countries have been targeted in an "unprecedented cyber robbery" in the past two years, according to security firm Kaspersky Lab.
The scale of the losses by UK financial institutions has not yet been disclosed, but is thought to run into tens of millions of pounds, according to The Telegraph.
The operation is believed to have been run by a cyber criminal gang, dubbed Carbanak by Kaspersky Lab, with members from Russia, Ukraine, other parts of Europe and China.
The security firm said it worked with Interpol and Europol on the investigation into the operation, which marks a new stage in the evolution of cyber criminal activity that targets financial institutions directly.
The Carbanak criminal gang used techniques drawn from the arsenal of targeted attacks, which remain active, said Kaspersky Lab.
More on cyber crime
- UK police face steep learning curve on cyber crime
- Banks must prepare for state-sponsored cyber crime, says Bank of England
- UK police make four arrests in international cyber crime crackdown
- Dark markets downed in international anti-cyber crime operation
- UK-led cyber crime taskforce proving its worth, says top EU cyber cop
- Business needs to take cyber crime seriously, says top EU cyber cop Troels Oerting
- Service model driving cyber crime, says Europol report
It is estimated the largest sums were grabbed by hacking into banks and stealing up to $10m in each raid. On average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money.
The cyber criminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware.
They were then able to jump into the internal network and track down administrators’ computers for video surveillance.
This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems.
In this way, the fraudsters got to know every detail of the bank clerks’ work and were able to mimic staff activity to transfer money and cash out.
When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own
In other cases cyber criminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction.
For example, an account containing $1,000 is inflated to $10,000. The criminals then transfer $9,000 to themselves. The account holder does not suspect anything as their account still holds $1,000.
In addition, the cyber thieves seized control of banks’ automatic teller machines and ordered them to dispense cash at a pre-determined time when gang members collected to cash.
Kaspersky Lab principal security researcher Sergey Golovanov said the bank heists were "surprising" because it made no difference to the criminals what software was being used by the banks.
“The attackers did not even need to hack into the banks’ services. Once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber robbery,” he said.
Cyber criminals will exploit any system
Interpol Digital Crime Centre director Sanjay Virmani said the robberies demonstrate that criminals will exploit any vulnerability in any system.
“The operation also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures,” he said.
Virmani said that identifying new trends in cyber crime is one of the key areas where Interpol works with Kaspersky Lab to help both the public and private sectors better protect themselves.
The operation also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures
Sanjay Virmani, Interpol Digital Crime Centre
Kaspersky Lab has urged all financial organisations to scan their networks for the presence of Carbanak and, if detected, to report the intrusion to law enforcement.
Independent security consultant Graham Cluley believes news of the gang first emerged in December 2014 when researchers at Group-IB and Fox-IT reported on a gang they named Anunak.
“My suspicion is that Anunak and Carbanak are one and the same gang,” he wrote in a blog post.
However, Cluley said it now appears from the work done by Kaspersky Lab, Interpol and Europol, more banks were hit by the hackers than previously confirmed, and more money stolen.
“Whoever discovered what, one thing is for certain. Banks need to keep their wits about them and treat security as a high priority, as hackers become ever more sophisticated and audacious in their attempts to steal cash,” he said.
CounterTack vice-president of security strategy Tom Bain said this operation once again demonstrates that cyber criminals do not discriminate and that they will find a way in.
“Spending time and resources trying to find more ways to prevent that are futile, " he said. "This case is a reminder that the cyber security market has shifted toward the need for more precise data, along with rapid detection and alerting to compete against the growing threat scape of sophisticated attackers.”
According to Bain, the cyber attacks on Target, Home Depot, Sony, Anthem, and now some of the largest banking institutions in the world, show that legacy technology like antivirus is easily evaded by attackers.
“Becoming more resilient in the face of aggressive cyber attacks will help teams absorb an initial blow, but quickly recover and respond. Being prepared to respond is as much about technology as it is planning how you define a serious threat, and how you verify and prioritise in the right way with the right intelligence,” he said.
“The bottom line is that hackers are more persistent and creative than ever. If corporations, banks and/or government agencies don’t put the right tools in place to detect threats and attacks, it is essentially like rolling over and letting evil win."
Cyber heists a serious warning
Chief strategy officer at security firm Cyphort Fengmin Gong said the Carbanak cyber heists are a serious warning for all the security defenders.
“Our expectation that threat actors would be quick and efficient at raising the stake of the cat-and-mouse game is already met, unfortunately," he said.
"Last year, we saw a string of retail point-of-sale system breaches, we expected that card issues would be quick at adopting the more secure EMV [Europay, MasterCard and Visa] system and we also expected that the criminal will move to attack other points in payment processing and fund transfer system.
The Carbanak cyber gang has silently challenged all of us to act now to implement and improve our cyber security defence ecosystem
Fengmin Gong, Cyphort
"The Carbanak cyber gang shows that the criminal leapfrogged, going directly after the bank account control system.”
Gong said that there a several lessons to be learned. First, while US president Barack Obama’s initiative of requiring all institutions, including banks, to report any breaches promptly will potentially shame or threaten banks into action of improving their security protection, the action is not guaranteed.
“To effectively counter the cyber criminal move, a broader initiative with actual directives for cyber security implementation is more helpful,” he said.
Second, Gong believes it takes a more secure ecosystem to effectively detect, contain, and prevent such cyber criminal attacks.
“Carbanak still used a spear phishing email to land malware inside the victim bank’s network and used RAT [remote administration tool] and key logging tools to learn about bank account control, and carry out money theft," he said.
"If these banks have implemented a solution to continuously monitor and diagnose all objects movement among their systems, they could have detected and contained the relevant malware before damage was done.”
Third, Gong said that while network behaviour anomaly detection has been applied with some success in dealing with distributed denial-of-service (DDoS) attacks and access abuses, the Carnanak attack raised the detection bar beyond anomaly detection by learning the patterns of operation in the victim bank.
“The threat actors are beating us in using context and situation awareness in their campaign. The Carbanak cyber gang has silently challenged all of us to act now to implement and improve our cyber security defence ecosystem,” he said.