February 15, 2015 at 11:07Hackers have committed one of the largest bank robberies in the history of
- Transfer
At the end of 2013, an ATM in Kiev began to issue money at completely arbitrary moments. No one inserted cards into it and did not touch the buttons. The cameras recorded that the money was taken by people who accidentally appeared nearby at that moment.
But when they brought in Kaspersky Lab for the investigation , she discovered that the “branded” device was the smallest bank problem.
Bank computers used by employees to make daily transfers and bookkeeping had malicious software that allowed cybercriminals to record every step. According to the results of the investigation, the software was hiding there for months, sending videos and images that informed the criminal group - which included Russians, Chinese and Europeans - how the bank performed its daily operations.
Then, the attackers posed as bank employees, not only including devices for issuing money, but also transferring millions of dollars from banks to Russia, Japan, Switzerland, the United States and the Netherlands to shell accounts.
In a report scheduled to be published on Monday and pre-shared by The New York Times, Kaspersky Lab says that the scale of this attack on more than 100 banks and other financial institutions in 30 countries could make this one of the largest bank robberies in history - and without the usual signs of robbery.
The Lab says that due to non-disclosure agreements with affected banks, it cannot name them. The US White House and the FBI were notified of what was found, but they say that it will take time to confirm the data and to estimate the losses.
The company claims to have received $ 300 million theft certificates from its customers through its customers, and believes that total losses could be three times higher. But this estimate cannot be verified, because the size of the transactions during the theft was limited to $ 10 million (although some banks suffered more than once). In many cases, the amounts withdrawn were more modest, likely to go unnoticed.
Most of the affected organizations are located in Russia, but many are also in Japan, the USA and Europe.
So far, no bank has recognized theft - a typical problem that Obama drew attention to on Friday when he attended the first White House summit on cybersecurity and consumer protection at Stanford University. He spoke out in favor of adopting a law that would require public disclosure of information about any hacking in which personal or financial information was stolen.
But the consortium warning banks of malicious activity - the Center for Analysis and Exchange of Information between Financial Services - said in a statement: “Our members are aware of this activity. We disseminated information about this attack among our participants ", as well as" some briefings were held by law enforcement agencies. "
The American Bankers Association declined to comment, and its leader, Douglas Johnson, said the group would consider the consortium's statement as the only commentary. Interpol investigators said their Singapore-based cybercrime experts are coordinating the investigation with law enforcement agencies in the affected countries. Dutch High Tech Crime Unit, a national police unit investigating some of the most difficult financial cybercrimes, has also been notified.
The silence surrounding the investigation appears to be due in part to the banks' reluctance to acknowledge that their systems were so vulnerable, and in part to the fact that the attacks are ongoing.
Chris Doggett, Managing Director of Kaspersky Lab’s North American office in Boston, said the Carbanak group, named for the malware used, is showing increased sophistication in cyber attacks against financial companies.
“This is probably the most difficult attack in history in terms of tactics and methods used by cybercriminals to go unnoticed,” he said.
As with the recent Sony Pictures attack, which Obama again called the North Korean handiwork on Friday, the attackers were very patient, placing the tracking software on the computers of system administrators and monitoring their actions for months. Evidence suggests that in this case, the attackers did not represent a country, but a group of cybercriminals.
But the question remains how the scam of this magnitude could last almost two years without the banks, regulators or law enforcement agencies catching on. Investigators say the answers may be hiding in the hacker method.
In many ways, this hacking started as standard. Cybercriminals sent infected letters to their victims - news or messages allegedly coming from a colleague - as bait. When bank employees clicked, they inadvertently downloaded a malicious code. This allowed hackers to spread across the bank’s network until they reached employees who controlled money transfer systems or remotely controlled ATMs.
Then, according to Kaspersky’s employees, the attackers installed the RAT — a remote access tool — that allowed them to receive video recordings and screenshots from employees' computers.
“The goal was to take over their actions,” Sergei Golovanov, an investigator at Kaspersky Lab, told The New York Times over the phone from Russia. “In this case, everything looks like normal, everyday transactions.”
The criminals spent a lot of effort to study the features of the system of each bank, at the same time opening accounts with banks in the USA and China to transfer money to them. Two people informed of the progress of the investigation say accounts were created at JP Morgan Chase and Agricultural Bank of China. None of the banks responded to a request for comment.
Kaspersky Lab was founded in 1997 and became one of the most famous examples of high-tech Russian exports, but its origin in the United States prevented its market share. Its founder, Eugene Kaspersky, studied cryptography at a university that was partially funded by the KGB and the Ministry of Defense, and worked for the Russian army until the opening of his company.
When it came time to cash in on their actions - a period that the investigation calls varying from two to four months - the criminals used several paths. In some cases, they used online banking systems to transfer money to their accounts. In other cases, they ordered the ATM to issue money where one of the accomplices was waiting.
But the largest amounts were stolen by hacking banking accounting systems and manipulating balances. By posing as employees, the criminals artificially overestimated the balance — for example, an account with $ 1,000 was processed to appear as an account with $ 10,000. Then $ 9,000 was withdrawn from the bank. The real owner of the account could not suspect anything, and the bank needed time to figure out what had happened.
“We found that many banks only check accounts every 10 hours or so,” Golovanov said. “So in the interval you can manage to change the numbers and withdraw money.”
The success of the hackers is impressive. According to Kaspersky Lab, one of its client companies lost $ 7.3 million through ATMs alone. In some cases, money was transferred through the SWIFT system used by banks for international transfers. For a long time she was the target of hackers - and the secret services also watched her for so long.
Doggett compared most cybercrimes to Bonnie and Clyde-style crimes when robbers burst in, grab everything they can and run. And in this case, he said, everything is “more like“ Ocean’s 11 friends ”.
But when they brought in Kaspersky Lab for the investigation , she discovered that the “branded” device was the smallest bank problem.
Bank computers used by employees to make daily transfers and bookkeeping had malicious software that allowed cybercriminals to record every step. According to the results of the investigation, the software was hiding there for months, sending videos and images that informed the criminal group - which included Russians, Chinese and Europeans - how the bank performed its daily operations.
Then, the attackers posed as bank employees, not only including devices for issuing money, but also transferring millions of dollars from banks to Russia, Japan, Switzerland, the United States and the Netherlands to shell accounts.
In a report scheduled to be published on Monday and pre-shared by The New York Times, Kaspersky Lab says that the scale of this attack on more than 100 banks and other financial institutions in 30 countries could make this one of the largest bank robberies in history - and without the usual signs of robbery.
The Lab says that due to non-disclosure agreements with affected banks, it cannot name them. The US White House and the FBI were notified of what was found, but they say that it will take time to confirm the data and to estimate the losses.
The company claims to have received $ 300 million theft certificates from its customers through its customers, and believes that total losses could be three times higher. But this estimate cannot be verified, because the size of the transactions during the theft was limited to $ 10 million (although some banks suffered more than once). In many cases, the amounts withdrawn were more modest, likely to go unnoticed.
Most of the affected organizations are located in Russia, but many are also in Japan, the USA and Europe.
So far, no bank has recognized theft - a typical problem that Obama drew attention to on Friday when he attended the first White House summit on cybersecurity and consumer protection at Stanford University. He spoke out in favor of adopting a law that would require public disclosure of information about any hacking in which personal or financial information was stolen.
But the consortium warning banks of malicious activity - the Center for Analysis and Exchange of Information between Financial Services - said in a statement: “Our members are aware of this activity. We disseminated information about this attack among our participants ", as well as" some briefings were held by law enforcement agencies. "
The American Bankers Association declined to comment, and its leader, Douglas Johnson, said the group would consider the consortium's statement as the only commentary. Interpol investigators said their Singapore-based cybercrime experts are coordinating the investigation with law enforcement agencies in the affected countries. Dutch High Tech Crime Unit, a national police unit investigating some of the most difficult financial cybercrimes, has also been notified.
The silence surrounding the investigation appears to be due in part to the banks' reluctance to acknowledge that their systems were so vulnerable, and in part to the fact that the attacks are ongoing.
Chris Doggett, Managing Director of Kaspersky Lab’s North American office in Boston, said the Carbanak group, named for the malware used, is showing increased sophistication in cyber attacks against financial companies.
“This is probably the most difficult attack in history in terms of tactics and methods used by cybercriminals to go unnoticed,” he said.
As with the recent Sony Pictures attack, which Obama again called the North Korean handiwork on Friday, the attackers were very patient, placing the tracking software on the computers of system administrators and monitoring their actions for months. Evidence suggests that in this case, the attackers did not represent a country, but a group of cybercriminals.
But the question remains how the scam of this magnitude could last almost two years without the banks, regulators or law enforcement agencies catching on. Investigators say the answers may be hiding in the hacker method.
In many ways, this hacking started as standard. Cybercriminals sent infected letters to their victims - news or messages allegedly coming from a colleague - as bait. When bank employees clicked, they inadvertently downloaded a malicious code. This allowed hackers to spread across the bank’s network until they reached employees who controlled money transfer systems or remotely controlled ATMs.
Then, according to Kaspersky’s employees, the attackers installed the RAT — a remote access tool — that allowed them to receive video recordings and screenshots from employees' computers.
“The goal was to take over their actions,” Sergei Golovanov, an investigator at Kaspersky Lab, told The New York Times over the phone from Russia. “In this case, everything looks like normal, everyday transactions.”
The criminals spent a lot of effort to study the features of the system of each bank, at the same time opening accounts with banks in the USA and China to transfer money to them. Two people informed of the progress of the investigation say accounts were created at JP Morgan Chase and Agricultural Bank of China. None of the banks responded to a request for comment.
Kaspersky Lab was founded in 1997 and became one of the most famous examples of high-tech Russian exports, but its origin in the United States prevented its market share. Its founder, Eugene Kaspersky, studied cryptography at a university that was partially funded by the KGB and the Ministry of Defense, and worked for the Russian army until the opening of his company.
When it came time to cash in on their actions - a period that the investigation calls varying from two to four months - the criminals used several paths. In some cases, they used online banking systems to transfer money to their accounts. In other cases, they ordered the ATM to issue money where one of the accomplices was waiting.
But the largest amounts were stolen by hacking banking accounting systems and manipulating balances. By posing as employees, the criminals artificially overestimated the balance — for example, an account with $ 1,000 was processed to appear as an account with $ 10,000. Then $ 9,000 was withdrawn from the bank. The real owner of the account could not suspect anything, and the bank needed time to figure out what had happened.
“We found that many banks only check accounts every 10 hours or so,” Golovanov said. “So in the interval you can manage to change the numbers and withdraw money.”
The success of the hackers is impressive. According to Kaspersky Lab, one of its client companies lost $ 7.3 million through ATMs alone. In some cases, money was transferred through the SWIFT system used by banks for international transfers. For a long time she was the target of hackers - and the secret services also watched her for so long.
Doggett compared most cybercrimes to Bonnie and Clyde-style crimes when robbers burst in, grab everything they can and run. And in this case, he said, everything is “more like“ Ocean’s 11 friends ”.