Carbanak Hackers Steal $1 Billion from 100 Banks Worldwide


Kaspersky Lab recently announced the results of an investigation into the Carbanak criminal gang, which is believed to have stolen a total of up to $1 billion over a period of about two years from up to 100 financial institutions in about 30 countries worldwide.

Affected countries include Russia, the U.S., Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the U.K., Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, the Czech Republic, Switzerland, Brazil, Bulgaria and Australia.

"The Carbanak criminal gang responsible for the cyberrobbery used techniques drawn from the arsenal of targeted attacks," Kaspersky Lab said in a statement. "The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users."

The hackers leveraged spear phishing attacks to infect victims' computers with the Carbanak malware, which gave them access to the bank's internal network. From there, they accessed administrators' computers and recorded the activity of staff members servicing the bank's cash transfer systems.

"The gang behind Carbanak does not necessarily have prior knowledge of the inner workings of each bank targeted, since these vary per organisation," Kaspersky Lab explained in a blog post. "So in order to understand how a particular bank operates, infected computers were used to record videos that were then sent to the Command and Control servers."

"Even though the quality of the videos was relatively poor, they were still good enough for the attackers, armed also with the keylogged data for that particular machine to understand what the victim was doing. This provided them with the knowledge they needed to cash out the money."

"These bank heists were surprising because it made no difference to the criminals what software the banks were using," Kaspersky principal security researcher Sergey Golovanov said in a statement. "So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks' services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery."

On average, each attack took between two and four months from the first infection of a computer in the bank's network to the theft of, in each case, between $2.5 million and $10 million.

Ken Bechtel, malware expert at Tenable Network Security, told eSecurity Planet by email that the attackers were able to remain undetected for so long in part because of the low volume of network traffic created by the malware. "It's a more professionalized use of the basic tools and opportunities available on most networks," he said. "This is why I stress the importance of continuous network monitoring and paying particular attention to the bottom 10 abnormalities revealed by your continuous monitoring solution. Those small abnormalities may be indicators of bigger issues in your network."

The money was stolen by transferring funds to banks in China or the U.S., by inflating account balances and stealing the extra funds before returning the balances to their original levels, and by ordering bank ATMs to dispense cash at predetermined times.

Mark Skilton, professor of practice at Warwick Business School, told eSecurity Planet by email that this type of attack demonstrates that basic perimeter security is no longer enough. "This is a cyber threat of massive proportions, on an industrial scale, where eavesdropping and small changes need to be detected," he said. "I suspect this is just the tip of the iceberg of what may have been stolen, and we may never know the full extent of the theft."

"These attacks again underline the fact that criminals will exploit any vulnerability in any system," Sanjay Virmani, director of the Interpol Digital Crime Center, said in a statement. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."