In February 2015, Kaspersky Lab reported on the great bank robbery by Carbanak cybergang which stole $1 billion from worldwide financial institutions. How actually did the cyber crooks carry out this malicious operation? Let’s find out more about them in this following article…
Way back in February 2015, Kaspersky Lab reported a news story on a notorious cybergang ‘Carbanak’ stealing $1 Billion from 100 worldwide financial institutions. Since 2013, the Carbanak cyber gang are said to have targeted 100 banks, e-payment systems and other financial institutions spread over in 30 countries. What’s astonishing is the fact that the Carbanak targeted financial organizations in several countries namely Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.
The cyber criminals started its malicious operations in late 2013 by launching the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world. By 2014, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016. From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.
According to the European Union Agency for Law Enforcement Cooperation (Europol), the Carbanak cyber gang targeted financial transfers and ATM networks from late 2013 by using a series of malware attacks called Anunak and Carbanak, before adapting security-testing software called Cobalt Strike into heist-ready malware.
The malware was spread across networks by duping bank employees with “spear phishing” emails containing malicious attachments impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. Then it instructed ATMs to spew out money at pre-determined times, prompted the transfer of money into the gang’s accounts, and modified bank databases to inflate the balances of certain accounts.
According to Kaspersky Lab data it was estimated that the largest sums were grabbed by hacking into banks and stealing up to $10 million in each raid. On an average, each bank robbery took between two and four months, from infecting the first computer at the bank’s corporate network to making off with the stolen money. What’s interesting is to note that the cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. Then, they were able to gain access into the internal network and track down administrators’ computers for video surveillance. This allowed them to gain video access by viewing and recording everything that happened on the screens of staff who serviced the cash transfer systems. Through this process, the Carbanak cyber crooks knew about every detail of the bank clerks’ work and then they were able to mimic staff activity in order to transfer money and cash out.
In the first case, the money was stolen by fraudsters using the online banking or international e-payment systems to transfer money from the banks’ accounts to their own malicious account. In the second case the stolen money was deposited with banks in U.S or China. However, the security experts do not rule out the possibility that other banks in other countries were also used as receivers.
In several other cases the malicious criminals penetrated the core of the accounting systems, inflating account balances before robbing the additional money through fraudulent transaction. For instance, if an account has one thousand dollars, the fraudsters change its value so it has ten thousand dollars and then transfer nine thousand to themselves. In such malicious transaction, the account holder does not suspect the illegal transfer because the original ten thousand dollars is still there.
In addition to the above process, the fraudsters seized control of banks’ ATMs and then ordered the machines to dispense cash at a pre-determined time. When the payment was due, one of the cyber criminal gang member was waiting beside the ATM to collect the ‘voluntary’ payment.
In March this year, through a coordinated International investigation team consisting of Spanish National Police, with the support of Europol, the U.S. Federal Bureau of Investigation (FBI), the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies, arrested the ‘master mind’ of the Carbanak gang in Spain.
Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), said: “This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”
The cooperation of International police coordinated by Europol and the Joint Cybercrime Action Taskforce was the main agencies in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in various geographical locations around the world. Europol’s European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
This is a classic case of International cyber-crime involving various countries, government agencies, private organizations, law enforcement, and investigating agencies. Probably the Carbanak cyber gang underestimated the various governments and agencies by targeting various financial institutions at several geo locations.
Given that the Carbanak cyber gang’s sophisticated malware campaign, there is no doubt to state that it is the world’s largest Bank robbery in the cyber world. Had it not been the combined efforts of Kaspersky Lab, INTERPOL, Europol and authorities from different countries to uncover the criminal plot behind this unprecedented cyber-robbery, the Carbanak cyber gang would have continued to steal several millions from all over the world’s financial institutions.