At a time when physical money makes up a shrinking 8 percent of the currency in most economies, the ATM has become a reminder that people still love taking paper money out of holes in the wall. According to a Kaspersky Lab investigation, leaked to the New York Times at the weekend, it's become apparent that some of the technology’s biggest fans turn out to be criminals.
The facts of this extraordinary bank job are hard to take in – at least $300 million (£200 million) and a possibly a crazy $1 billion stolen from 30 unnamed Russian, Ukrainian, Chinese, US and German banks in under two years – but the real story is how easily they did it. ATMs turn out to be the least of it.
After digesting Kaspersky’s more detailed report, it is clear that the attack employed the same technical components that characterise many other cyberattacks of recent times, including the huge data breaches that ravaged US retailers during 2013 and 2014. As an aside, the attack appears to be the same as the 'Anunak' attacks said by Russian security researchers Group-IB in December to have been used against dozens of financial institutions and, more famously, office retailer Staples.
Kaspersky's take gives some new detail. It’s a story of penetrating the targets, working out how the network and software is configured and then just stealing the data or, in this case, money using via available exit points. It does appear to be that simple.
- The targeted banks were hit with spear phishing emails launching exploits for a range of Microsoft Office vulnerabilities, specifically CVE-2012-0158, CVE-2013-3906, and CVE-2014-1761, all well-known and one pre-dating the attack by up to a year or more.
- The remote ‘Carbanak’ Remote Access Trojan (RAT) malware was deployed over a period of two months or more to conduct further compromises and surveillance of the target bank’s systems and procedures using video capture and keylogging, probing for weaknesses.
- Compromised email accounts were used to launch secondary phishing attacks on other employees to gain deeper access. Kaspersky found evidence that the criminals had stolen caches of sensitive files, including classified emails, bank manuals, cryptographic keys, passwords and key verification codes used to verify that customers have used the correct PINs during ATM sessions.
- For banks that allowed remote ATM access (presumably most), the criminals were able to directly control the machines using this to withdraw cash. No malware was installed on the ATMs themselves as in most previous attacks – the attackers were basically hijacking the remote management mechanisms that would normally be used only by bank staff.
- Alternatiively, money transfers were made up to a maximum $10 million threshold to mule accounts from which were apparently siphoned off without being noticed.
Some conclusions jump out of this mess with bells ringing loudly.
Clearly the attackers picked on weak, poorly secured banks, ones more vulnerable than most to this kind of attack on their systems than most. That is the only way to explain that so many organisations were vulnerable to phishing attacks on known software vulnerabilities. Once in, moving around and accessing internal systems was not detected, not the transfers made using internal mechanisms. This is extraordinary as is the ease with which they remotely controlled ATMs to spew money, in one case, into an empty street in Kiev.
That could be the one positive from this event – the devil took the hindmost. That might suggest that manhy other banks are less vulnerable to this kind of elementary if determined type of attack.
A second issue is the extraordinary reluctance of banks to discuss the issue, understandable as it is said to be ongoing and there is no desire to alert other attackers to possible weaknesses, but part of the secrecy that allows incompetent banks to carry on as if this sort of attack is a mere inconvenience.
Third, the scale of the attacks doesn't appear to have been noticed until Kaspersky told them which sugegsts that co-operation between banks is not working at some level in the system. Security firms are trained to detect attacks but banks should be too.
As it happens, the latest attack is not unprecedented. Two attacks on payment processors in 2012 and 2013 bear some resemblance to the latest incident in that they allowed attackers in one to empty bank ATMs in 27 different countries of an estimated $45 million (£29 million) and in the other to steal around $40 million using a similar MO.
Although the losses were smaller, the speed with which they happened was remarkable, both running up a combined $85 million in only a matter of hours using gangs co-ordinated across the world. It is the co-ordination that was the warning then and remains so given that the Kaspersky Carbanak attacks re-used some of the same ideas.
“We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore,” concludes Kaspersky Lab with some understatement.