News

Kaspersky ties Carbanak cybergang to $1B bank heist

A combined effort by Kaspersky Lab and various legal authorities has uncovered as much as $1 billion in cybertheft from financial institutions worldwide.

February 17, 2015

A combined effort by Kaspersky Lab, Interpol, Europol and authorities from various countries has uncovered the criminal plot behind as much as $1 billion in cybertheft from financial institutions worldwide.

According to a press release, the two-year exploit was engineered by Carbanak, a multinational gang from Russia, Ukraine, other parts of Europe, and China.

Since 2013, the criminals have attempted attacks on up to 100 banks, e-payment systems and other financial institutions in approximately 30 countries. The attacks remain active, the release said.

According to Kaspersky Lab data, Carbanak targets included financial organizations in Australia; Brazil; Bulgaria; Canada; China; Czech Republic; France; Germany; Hong Kong; Iceland; India; Ireland; Morocco; Nepal; Norway; Pakistan; Poland; Romania; Russia; Spain; Switzerland; Taiwan; Ukraine; the U.K.; and the U.S.

Carbanak is believed to have conducted the most costly thefts by hacking into banks and stealing up to $10 million per exploit. On average, each robbery took between two and four months to carry out, the release said.

The cybercriminals began by gaining entry into an employee's computer through spear phishing, and infecting the victim's computer with the Carbanak malware. The thieves were then able to infiltrate the internal network and track down administrators' computers for video surveillance.

This allowed them to see and record what was happening on the screens of staff who serviced the cash transfer systems. The gang got to know every detail of the bank clerks' work and were able to mimic staff activity in order to transfer money and cash out.

According to Kaspersky Lab research, the money was stolen as follows:

• When the time came to cash in on their activities, the criminals used online banking or international e-payment systems to transfer money from the banks' accounts to their own. In the second case, the stolen money was deposited with banks in China or the United States. The experts do not rule out the possibility that other banks in other countries were used as receivers.
• In other cases cybercriminals penetrated the very heart of accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example, if an account held $1,000, the criminals might change its value to $10,000 and then transfer $9,000 to themselves. The accountholder would not suspect a problem because the original $1,000 was still there.
• In addition, the cyberthieves seized control of banks' ATMs and ordered them to dispense cash at a predetermined time. When the payment was due, one of the gang's money mules was waiting at the machine to collect the cash.

"These bank heists were surprising because it made no difference to the criminals what software the banks were using," said Sergey Golovanov Kaspersky Lab principal security researcher on the global research and analysis team. "So, even if its software is unique, a bank cannot get complacent. The attackers didn't even need to hack into the banks' services: Once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery

"These attacks again underline the fact that criminals will exploit any vulnerability in any system," Sanjay Virmani, director of the Interpol digital crime center, said in the release. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."