An analysis conducted by Kaspersky Lab concluded that the countries worst affected by the attacks were Russia, the U.S., Germany and China. Source: Valery Sharifulin / TASS
An international gang of hackers called Carbanak has stolen at least $300 million from clients’ bank accounts in various countries, Kaspersky Lab said in a report on Feb. 16, 2015. The total amount of stolen funds may be considerably higher and could exceed a billion dollars.
According to the report, the scam has affected over 100 financial institutions in 30 countries, including Russia, Japan, Switzerland, the U.S. and the Netherlands. No specific banks have been named and an investigation is in progress.
Banks have always been an attractive target for cybercriminals. However, according to Kaspersky Lab experts, previously cyber-attacks were almost always directed against bank clients, whereas this attack targeted banks directly.
Mysterious thefts from cash machines
“This crime marks a new phase in cybercrime,” Sergei Lozhkin, an antivirus expert with Kaspersky Lab, told RBTH. The name Carbanak first came up in late 2013, he recalled. A Ukrainian bank had asked Kaspersky Lab for assistance in a criminal investigation. “Somebody was mysteriously stealing money from the bank’s cash machines. Back then we thought the incident was a routine hacker attack,” Lozhkin said.
However, several months later a Russian bank approached Kaspersky Lab with a similar problem. One of its systems was issuing warnings about data being sent from a domain controller to China.
“We promptly detected malware in the system, wrote a batch script to remove the malware from the affected computers and rolled it out to all of the bank’s computers,” Lozhkin told RBTH. “It goes without saying that we preserved samples of the malware. That was how we first got to know Carbanak.”
The investigation developed into a joint operation by Kaspersky Lab's Global Research and Analysis Team (GReAT) and international organizations, national and international law-enforcement agencies, as well as several Computer Emergency Readiness Team (CERT) centers around the world.
According to the company’s experts, bank robberies carried out by Carbanak were different from anything they had seen before. The cyber gang used methods that allowed it to operate irrespective of the software used by a bank, even if that software was completely unique. The hackers did not even have to break into bank servers. They simply infiltrated the corporate network and tried to mask their fraudulent actions as legitimate ones.
Traces of contamination at PR agencies
The criminals spread the Carnabak malware to the computers of bank employees that process daily transfer data and manage accounts. In many cases, the hackers sent infected emails purporting to be from the targeted individuals’ colleagues. This gave the hackers access to the banks’ internal networks. They could trace all the actions of bank staff, down to specific keyboard strokes, and then remotely send cash withdrawal requests to bank machines and transfer money to counterfeit bank accounts.
“The scam primarily targeted institutions in the financial sector,” Lozhkin said. “At the same time, we detected traces of the virus at cash terminals and in PR agencies.”
An analysis conducted by Kaspersky Lab concluded that the countries worst affected by the attacks were Russia, the U.S., Germany and China.
The company’s experts cannot disclose details about Carbanak until the investigation is over. All that is known about it is that it is an international gang made up of citizens of Russia, Ukraine, several European countries and China. “We also know that in order to get the money from bank accounts or ATMs, the criminals employed the services of so-called drops or money mules,” Lozhkin added.
Notorious cyberattacks in the recent past
By Anton Mukhatayev, Kommersant-Vlast
The number of cyberattacks has been growing since the 2000s. Source: AP
1. In April 2007, amid riots sparked by relocation of the Bronze Soldier monument in Tallinn, websites of the Estonian government and other government agencies were targeted by major cyberattacks. Foreign Minister Urmas Paet accused Russia of masterminding the attacks and called on the European Union to apply sanctions.
2. In early 2009, Pakistani hackers defaced vital Indian infrastructure websites, among which were those of a few financial agencies, including the State Bank of India. The attacks were carried out in response to demands by the Indian government that all terrorist camps in Pakistan be destroyed and the Mumbai blast suspects extradited.
3. In September 2010, Iran announced that some 30,000 computers in its centralized industrial computer network had been damaged by the Stuxnet virus. The worm also infected the local network of the Bushehr Nuclear Power Plant and shut down centrifuges at the Natanz nuclear facility. According to Iran, the virus was traced back to computers in Israel and Texas.
4. In January and September 2012, hackers targeted some of America's biggest banks, including Bank of America, BB&T, Capital One, Citi, and JPMorgan Chase. The U.S. government suspected that Iranian hackers, allegedly linked to the Iranian government, were behind the hacking, though Tehran denied this in a public statement and condemned the attacks.
5. In January 2013, The New York Times said it had been targeted by hackers from China for four months. According to the newspaper, the attacks might have been prompted by a report on an investigation by The New York Times into the “secret fortune” of the family of China's prime minister, Wen Jiabao.
In February, The Wall Street Journal, social networking services Twitter and Facebook, the U.S. Department of Energy, Apple and Microsoft also fell victim to attackers, leading the U.S. government to accuse China openly of the hacking attempts.
6. In March 2013, South Korea's banking system was paralyzed for several days, following a major cyberattack. Initially, the South Korean authorities traced the attack to China but later shifted the blame onto North Korea.
7. In May 2013, the Pentagon said in a report to U.S. Congress that North Korea was using small-scale attacks to gain psychological advantage in diplomacy. According to South Korean intelligence, North Korea is training hackers at special military schools. North Korea has denied the allegation.
8. In February-May 2013, the Anonymous “hacktivist” group that hit the Federal Reserve network (gaining access to the details of 4,000 bank executives) and the Syrian Electronic Army hackers joined the attacks on the United States. Among other targets, hackers from Syria attacked Western media, including the Guardian, Financial Times, the BBC and AP.
In the case of AP, hackers compromised the agency's Twitter account by publishing a misleading tweet on a White House blast, which caused the U.S. stock exchanges to take a temporary dive.
First published in Russian in Kommersant-Vlast magazine.
All rights reserved by Rossiyskaya Gazeta.