The FBI warns of potential attacks in U.S. after similar crimes in Taiwan and Thailand

Earlier this year, the cybercriminals in Taiwan and Thailand programmed bank ATMs by making its gang members stand in front of the machines at the appointed hour in order to collect millions of dollars. Apparently, the cybercriminals are now targeting the banks’ own computers, with often-dramatic results.

Earlier this month, U.S. banks were warned by the Federal Bureau of Investigation (FBI) of the possibility for similar attacks. In a bulletin, the FBI said that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

Buhtrap, a Russian gang was mentioned by the FBI bulletin using the software. Buhtrap and other gangs enhanced their techniques on Russian banks, and then expanded to other countries, say computer-security specialists. While there are times, the hackers break into the systems that process transactions on banking payment networks, other times they have hit ATM networks directly.

In Taiwan, on July 10, the Taipei city police received a report of currency lying on a First Commercial Bank ATM in the city’s Da’an Precinct. Soon, reports of loose cash at other ATMs started trickling in.

A few days later, in a written statement, police said that ATMs were “abnormally spitting out bills.”

By July 11, the criminals without using ATM cards had collected more than 83 million New Taiwan dollars (US$2.6 million) in cash. Twenty-two people, mostly from Eastern Europe, waited at the ATMs to remove the money. Later, three suspects were arrested and over NT$77 million recovered.

A First Commercial spokeswoman acknowledged that the bank’s ATM systems were attacked in July. The criminals broke into computers at First Commercial’s London office on May 31, believe the investigators. Once the criminals were inside the network, they sent a malicious software update to the company’s 41 PC1500 ATMs, which is built by Wincor Nixdorf AG of Germany. After testing their system on July 9, they instructed the ATMs to empty their cash-carrying cassettes the next day. Wincor Nixdorf did not comment when contacted by The Wall Street Journal.

According to the FBI bulletin, the Government Savings Bank in Thailand was hit with a similar attack the next month. Government Savings Bank couldn’t be reached for comment by WSJ.

Hackers sent fraudulent “phishing” emails to both the Taiwan and Thailand banks and disguised it to look like messages from ATM vendors or other banks broke, the FBI said. The attacks show hackers’ “capability of conducting low-risk, high-impact attacks,” the FBI added.

Whether the Taiwan attack was related to the Thai case could not be confirmed by a Taipei City police spokesman; however, he said that the features were alike.

The attacks demonstrate a new technique for cybercriminals, who hit ATMs with fraudulent cards or traditionally stole money from consumer banking accounts or other tricks on a single machine. Some criminals have turned to bank networks, breaking in and then discovering ways to make dozens of machines unload their cash at the same time over the past 18 months.

“These guys, who could have been in the past just going after consumers…are breaking into financial institutions,” said Eric Chien, technical director of Symantec Corp.’s Security Technology and Response division.

Malicious software used on ATMs had resulted in more than $300 million in losses, said Taipei police in July, who worked with the FBI on the First Commercial Bank investigation.

In a written statement, the FBI said it “routinely advises private industry of various cyber threat indicators observed during the course of our investigations.”

A small group of elite hacking groups is carrying out the attacks, say the investigators. “The skill level to create the malware for the actual network intrusions is a step up,” from more common ATM crimes, said Robert McArdle, a security researcher with antivirus vendor Trend Micro Inc.
U.S. ATMs happen to be newer and difficult to attack than overseas systems, though some are “just as ill-protected,” says Symantec’s Mr. Chien. Almost one-quarter of the institutions hit with another type of Russian malware, known as Odinaff, which targets financial-transaction systems, are in the U.S. said Symantec.

Dmitry Volkov, head of cyberintelligence with Russian cybersecurity vendor Group-IB, has spent years tracking Russian-based groups that hack into financial institutions, particularly to steal money by exploiting bank payment systems. The Buhtrap group carried out 13 successful attacks against Russian banks, stealing more than $25 million through the nation’s bank-clearinghouse system, during the six months ended in February 2016, he said.

Earlier this year, an unhappy Buhtrap member released the computer code to carry out the attacks, which is now being used by others, Mr. Volkov said. Another group called Cobalt, which is connected to Buhtrap, has been targeting banks in Europe and Asia too since the summer, he said.

Source: WSJ