In late 2013, an ATM in Kiev started dispensing cash at seemingly random times of day. No one had inserted a card or even touched a button. The cameras over the ATM showed that the piles of money had been swept up by customers who appeared to have just been in the right place at the right time. That was not the case. A Russian cyber security firm, Kaspersky Lab, was called to Ukraine to investigate; it discovered that the errant machine were the least of the bank’s problems. They were another victim of a hacker group.
The first problem was that the bank’s internal computers, used by employees to process daily transfers and conduct the bookkeeping, had been invaded by malware that allowed cyber criminals to record their every move. The malicious software lay in wait for months, sending back video feeds and images that told a criminal group, including Russians, Chinese and Europeans, how the bank conducted its daily routines.
Then the extremely well organised group, impersonating bank officers, started not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into fake accounts set up outside the country to mask the thefts.
Kaspersky Lab have said that the scope of these cyber-attacks, on more than 100 banks and other financial institutions, in potentially as many as 30 nations will make it one of the largest bank thefts ever. What is more impressive though is that there was not any of the usual signs of robbery.
The Moscow-based firm has stated that because of nondisclosure agreements with the banks that were hit, it cannot name any of the institutions targeted. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.
Kaspersky Lab has however disclosed that the evidence points to theft of as little as $300 million, and believes the total could be as much as $900 million. The problem again is that this projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. Yet again proving how smart these hackers were, some of the transactions were remarkably small so as to not alert the banks to the fact they were being robbed blind.
Along with Kaspersky Lab being under a non-disclosure agreement, no bank has come forward acknowledging the theft. President Obama previously urged passage of a law that would require public disclosure of any breach that compromised personal or financial information but was stone walled by the institutions.
The Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”
The American Bankers Association declined to comment, and one of the executives there, Douglas Johnson, said the group would let the financial services centre’s statement serve as the only comment his group would make. Investigators at Interpol said their digital crimes specialists in Singapore are now coordinating an investigation with law enforcement in all of the affected countries in the hope that the hackers can be found.
The managing director of the Kaspersky’s North American office in Boston, Chris Doggett, argued that the “Carbanak cybergang,” which is named for the malware it deployed, represents a dramatic increase in the sophistication of cyber attacks on financial firms. “This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cyber criminals have used to remain covert,” Mr. Doggett said.
The question remains how a fraud of this scale could have proceeded for nearly two years without banks, regulators or any of the countries law enforcement catching on. Investigators say the answers may lie in the hackers’ technique.
The report indicates that this series of hacks began like any other. The cyber criminals sent their victims infected emails; a news clip or message that appeared to come from a colleague. When the bank employees opened the email, they inadvertently downloaded malicious code, a problem most people are familiar with. This allowed the hackers in to the bank’s network where they were able to hunt for the employees who administered the cash transfer systems or remotely connected ATM’s.
Then, Kaspersky’s investigators said, the hackers installed a “RAT”, remote access tool, which could capture video and screenshots of the employees’ computers. Sergey Golovanov who conducted the inquiry said, “The goal was to mimic their activities,” and, “That way, everything would look like a normal, everyday transaction,” he said in a telephone interview from Russia.
The hackers took great pains to learn each bank’s unique system; whilst this was occurring they set up dummy accounts in banks in the United States and China that could serve as the destination for the stolen money. Two people briefed on the investigation said that the accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China.
When the time came to cash in on all of their hard work, a period investigators say ranged from two to four months, the criminals used multiple different methods to extract the money. In some cases, they used online banking systems to transfer money to the accounts overseas, in other cases; they used the banks’ ATMs to dispense cash where one of the other members of the group would be waiting.
The largest sums that were stolen by the criminal group were extracted by hacking into a bank’s accounting systems and manipulating the account balances. This was done by inflating a balance, for example, an account with $1,000 would be altered to show $10,000. Then $9,000 difference would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened.
The hackers’ success rate was incredible. One Kaspersky client is thought to have lost as much as $7.3 million through ATM withdrawals alone. Another of the Kaspersky clients lost $10 million from the exploitation of its accounting system.
Mr. Doggett likened most cyber thefts to “Bonnie and Clyde” operations, in which attackers break in, take whatever they can grab, and run. In this case, Mr. Doggett said, the heist was “much more ‘Ocean’s Eleven.’ ” Let us hope that Ocean’s Eleven style hits on banking systems do not become quite so widespread or perhaps banks can now recognise the problems of the modern technological era and aim to fix them more effectively.