The Carbanak hackers have been active since 2013, and towards the end of that year, had already taken a confirmed 300 million US dollars, with estimates reaching up to 900 million. They had targeted several banks all over the world, and are continuing to drain banks with their Carbanak Trojan.
How It Works
The hackers operated as a very organized and intelligent group, according to Chris Doggett of Kaspersky. It was not a snatch and grab operation like most online heists, says this managing director of the security firms’ North America office. The hackers were systematic and thorough, evidencing a well thought out plan. And this plan is certainly pain off big time.
The Carbanak Trojan, a type of malware specifically designed to execute a set of functions, was first introduce to bank systems via email. The hackers mass emailed the message containing the Trojan to employees of their targeted banks. From among the hundreds of emails sent to one bank, the hackers had a good chance of hitting a computer system with administrative privileges.
Once the malware is allowed into the system, it starts by launching programs that log the keystrokes that are executed on the infected computer. This gave the hackers access to the system and allowed them to gain control of it by remote. More importantly for the hackers’ plan, it taught them how things are done at that particular bank. The learning process was indeed long and tedious. But the hackers were looking at a long term deal, and not just some quick cash. Knowing the procedures that the bank was following allowed them to take larger amounts of money from different avenues for a longer period of time without raising suspicions.
The Carbanak hackers can, by remote control, instruct a bank’s automatic teller machines (ATMs) to give out a set amount of cash at set dates and times. This method was first noticed in Russia, where the hackers’ activity has been strong, towards the end of 2013. A Kiev ATM was automatically disbursing cash at odd times of the day. No bank customer had been there doing any transactions. But as the cash poured out of the machine, a seemingly fortuitous passerby would see the cash and take it. This was all recorded by the ATM’s and bank’s cameras, but it took a while before bank personnel figured out that it was more than a machine glitch. This is when Kaspersky Lab was called in to explore the situation. And down the rabbit hole they went.
Once Kaspersky had examined the quirky ATM, they found more and bigger problems in the bank’s systems. The bank’s internal system was being closely monitored by the hackers through the malware that they had injected. By learning the bank’s procedures over several months, the hackers were able to copy the behavior of bank employees who are in charge of bank transfers and record keeping. The hackers, who are now known to be from China, Europe and Russia, were then able to start making their own transfers to their bank accounts without leaving any trail that would raise red flags.
Aside from the bank transfers and zombified ATMs, he hacker team had also infiltrated e-payment systems. They used these to send more money to their fraudulent accounts in overseas banks. The investigation led Kaspersky to other banks in Russia as well as Japanese, Dutch, Swiss and US banks that were affected by the same malware. These banks were losing millions of dollars via bank transfers to the dummy accounts of the hackers in overseas banks. The hackers were able to impersonate bank employees in more than a hundred banks in thirty countries.
The affected banks have been mum since 2013, and Kaspersky is legally bound to keep their mouth shut about the identities of these banks. It would of course cause a panic if the public knew about the hacks, but the secrecy is also making it more difficult to find all the affected banks and clean out the malware that is causing the problem. The US government has long complained about the tendency for cybercrime victims to remain silent. Many cybersecurity experts also agree that nondisclosure is part of the problem. Breaches should be reported so that clients can be protected, but so far all we know now is that the FBI and the White House are in the (long and tedious) process of identifying the targets and evaluating the losses. Kaspersky is also working on it, of course, and the Financial Services Information Sharing and Analysis Center, which is an industry association, is aware and doing its part to alert banks to the threat.
