Kaspersky Labs reports at least $300 million in a 2 year sophisticated heist was stolen from a variety of banks world wide.
The surface of the heist was presumably started in late 2013 when a A.T.M. in Kiev was exhibiting some strange behavior when it started dispensing cash at seemingly random times of day. No card or button on the A.T.M. was touched and the security cameras only showed piles of money being taken by lucky customers who were at the right place at the right time.
Kaspersky labs, a Russian cyber-security firm was called to investigate the A.T.M. anomaly and through its investigation discovered this was just the tip of the iceberg of the real hack that was taking place.
The bank’s very own internal computers, the ones used by the bank employees who processed daily transfers, conducted daily bookkeeping, had been unwittingly infected with sophisticated malware that allowed cyber criminals to record their every move. It was suspected that the malicious software had been in their systems for several months, sending back video feeds and images that told a story to the criminal group patiently watching on the other side how exactly the bank conducted its daily routines.
With that inside information on the daily habits and procedures of bank employees the criminal hacking group was able to impersonate bank officers enabling them to, not only turning on various cash machines, but also be able to transfer millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.
According to reports from Kaspersky Labs the scope of this attack was on more than 100 banks and other financial institutions in 30 nations which could very well make it one of the largest bank thefts ever and one conducted without the usual signs of robbery.
Kaspersky Labs has a gag order from nondisclosure agreements with the banks that were hit, it cannot name them. It goes without saying Officials at the White House and the F.B.I. have been briefed on the Kaspersky’s findings, but say that it will take time to confirm them and assess the losses (otherwise meaning those who know will not say).
What Kaspersky Labs is telling is that the thefts were limited to $10 million a transaction, and some banks were hit several times. In a vast majority of cases the takes were more modest, possibly in an attempt to avoid setting off alarms. The totals they are telling is upwards of $300 million with a high probability of triple that amount with the majority of known targets in Russia, with a smaller amount in in Japan, the United States and Europe.
Of course no bank has come forward acknowledging the theft which is such a common problem in this type of industry that even President Obama during his first White House summit meeting on cybersecurity and consumer protection at Stanford University is urging a passage of a law that would mandate public disclosure of any breach that compromised personal or financial information.
Douglas Johnson, from the American Bankers Association stated, Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed. There was no other comments from the American Bankers Association.
The silence surrounding the investigation is partly because of the reluctance of banks to concede that their systems were so easily penetrated, and also in part of the fact that the attacks appear to be continuing.
Chris Doggett, the managing director of the Kaspersky North America office in Boston stated that the
“Carbanak cybergang (named for the malware it deployed), is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cyber criminals have used to remain covert,”
The intruders in the bank thefts were enormously patient, first placing surveillance software in the computers of system administrators and watching their moves for several months. It is suspected that this was not a nation state, but rather a specialized group of cyber criminals.
It is uncertain how the subterfuge on this scale could have proceeded for nearly two years without banks, regulators or law enforcement catching on.
But the basics of this hack began like many others, sending their targeted victims infected emails with a news clip or message that was forged to appear to come from a colleague. When the targeted bank employee clicked on the email, they inadvertently downloaded malicious code. From there with the malicious code on the system that allowed the hackers to crawl across a bank’s network until they found employees who administered the cash transfer systems or remotely connected A.T.M.s.
Then, the cyber criminals installed a “RAT”— remote access tool — that could capture video and screen shots of the employees’ computers to learn and mimic everyday activities of the bank and the bank employees. In doing this they could stage everything to look like a normal, everyday transaction.
With patience and persistence, the attackers took great pains to learn each bank’s particular system, while they set up fake accounts at banks in the United States and China that could serve as the destination point for money transfers.
It is known that these fake accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China.
A period of several months and the creation of multiple routes for the money transfers were set up including online transfers as well as A.T.M. cash dispensing to terminals where the associates would be waiting.
With the largest sums stolen by hacking into a bank’s accounting systems and briefly manipulating account balances and temporarily inflating the balance an example provided was an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. Their was a reported 10 hour window where the banks did not check or audit these balances allowing the illicit transaction to take place during that time.
Some of the numbers reported by Kaspersky on the effectiveness of the hacks were $7.3 million through A.T.M. withdrawals alone and $10 million from the exploitation of its accounting system.
The level of the sophistication of this heist was Ocean’s 11 on steroids.