Almost 99% of all cyber crimes in the world now involve money theft. Don’t be surprised by such a high figure, computer-related crime seeks to maximize monetization and minimize risks. Therefore, it is much more interesting for full time professional cyber criminals to attack a bank than to hack, for example, a defense plant.
Targeted attacks currently pose the biggest danger for banks globally, in 2016 losses suffered by financial institutions as a result of targeted hackers attacks increased up to 300%. One of these attacks cost a largest Russian bank RUB 140 million ($2.4 million), while the total amount of stolen funds increased to RUB 2.5 billion ($43.5 million), according to researchers estimates. Why Russian hackers robbing ATM so successful, why they steal so much money and what banks can do to counter them?
Theft in the distance
In July 2016, in the night, a masked man approached a First Bank ATM on the outskirts of Taipei, Taiwan. He called to someone, and within several minutes the ATM gave out all the cash that it contained. The same scenario happened at four dozen other First Bank ATMs, the Russian hackers robbing ATM, withdrew about $2.2 million and disappeared.
The Taiwan police encountered such a case for the first time. The scammers did not physically damage the ATMs, nor did they use bank cards or skimming equipment. How did this happen? How Russian hackers robbing ATM? It was the final stage of a “contactless” or “logical” attack on ATMs organized by a criminal group called “Cobalt” according to the researchers’ sources. Currently, it is one of the most active cyber criminal groups, and they have attacked banks globally in 14 countries of Europe and Asia.
Contactless attacks on ATM’s represent only one of the varieties targeted attacks on the banks. In addition to ATM control systems, hackers trying to access to SWIFT systems, payment gateways and card processing systems.
At the beginning of 2015, for the first time, a Trojan dubbed “Corkow (Metel)” took control of a stock exchange trading terminal and placed an orders worth a total of few hundred million dollars. In just 15 minutes hackers created abnormal volatility, which made it possible to buy U.S. dollars for RUB 55 and sell them for RUB 62. As a result of the incident, a couple of Russian banks suffered massive losses, although it was random traders rather than the cyber criminals themselves that profited from it.
Early in 2013 Group-IB start tracked first large-scale targeted attacks on several Russian banks. In 2014, there were seen only two known hacker groups, “Anunak” and “Corkow,” which conducted targeted attacks. While in 2015 there were seen three “Anunak,” “Corkow” and “Andromeda,” and in 2016 another four “Buhtrap,” “Lurk,” “Cobalt” and “MoneyTaker.” The explanation is simple, the hacker groups that used to attack companies that are banks’ customers are now switching their focus to the banks themselves. More money much less risk.
The most of the targeted attacks originated from Russia, cyber criminals first tested all their new viruses, schemes, software, and patterns of attacks only on Russian banks and then went on to attack international financial institutions.
Group-IB researchers also observed another hacker group trying to find experts in SWIFT and international money transfers on the Dark Web forums. One of the members of the forum claimed that his bot network included computers that formed part the networks of several banks in Germany and had access to SWIFT system. The latest successful attack, Russian hackers robbing ATM of one of the banks via the ARM CBR “Automated Work Station Client of the Central Bank” payment system has provided evidence that scammers have a tool for automatic replacement of payments in the SWIFT system. After definite adaptation, it can be used for attacks on SWIFT throughout the globe.
Scheme and mechanism of targeted attacks
Substantially, targeted attacks do not require special experience and special unique software. Scammers employ ready-to-use tools bought on underground cyber crime forums or free legal available software.
Intrusion and infection. The key infection vector using to attack bank networks is sending phishing emails with malicious attachments such as Trojans, masked as a legitimate document or a password-protected archive to bank employees.
Russian hackers use different tricks to make bank employees open these attachments. In 2015, employees of one of the Russian bank received emails on their corporate emails addresses about attractive vacancies in the Central Bank. In 2016, the hacker gang “Cobalt” sent out phishing emails with malicious attachment “The rules for European banks.doc” acting as the European Central Bank. Malicious attachments with exploits can be developed with the use of ready-made virus creation kits, while to send executable files, and it does not require any special tools, it can be used just regular email client.
Remote access. Infection of just one computer in a corporate network opens a door into a protected bank system. With free software such as TeamViewer, Ammy Admin, VNC or Light Manager, criminals getting remote access to the bank network. Then scammers extract credentials from the RAM of an infected device. For example, the source code of such a tool, Mimikatz, has been posted on one of the Dark Web forums and is currently available for free to everyone.
Search for targets. After obtaining domain admin privileges, criminals examine a bank’s internal network. They may be targeting ATM control networks, SWIFT systems instant transfer systems for individuals, card processing systems or payment gateways. When scammers find their target, they start to track the actions of bank operators by taking picture or recording video on controlled computers. They need that to repeat their steps later and transfer funds to the controlled bank accounts. More advanced hacker gangs use prepared tools to modify payment documents, simple scripts and executable files functioning as scripts are used to automate fraudulent payments.
Cash out funds. This stage is performed by specialized professional teams which are called “money mules” or “drops” this is lower echelon of the cyber criminal hierarchy. They are taking from 40% to 60% of the stolen funds as the fee for their services. The “mules” can be brought to any city or country to pick up the cash. While operating overseas, they most often acting as “tourists” and leave the country as soon as possible after the operation has been completed.
Financial infrastructure is attractive not only Russian hackers robbing ATM in the distance. In February 2016, some hackers tried to steal $951 million from the Central Bank of Bangladesh via the SWIFT system by the same scenario. But due to a mistake in a payment document, they steal only $81 million.
According to investigation Group-IB, the cyber attack was operated by Lazarus, a North Korean hacker group. For years, they have been known for their actions against ideological opponents of North Korea, which involved DDoS attacks and hack into resources of military, government and aerospace institutions in South Korea and the USA. However, probably last year the North Korean hackers ran out of cash, and they decided attacked dozens of financial institutions globally.