Hackers made one of the largest bank robberies in history
At the end of 2013, an ATM in Kiev began to issue money at completely arbitrary moments. Nobody inserted cards into it and did not touch the buttons. Cameras recorded that the money was taken by people who happened to be nearby at that moment.
But when Kaspersky Lab was called upon to investigate, she discovered that the device that had “branded off” was the least of the bank’s problems.
On banking computers, with the help of which employees made daily transfers and kept accounts, there was malicious software that allowed cybercriminals to record every step. According to the results of the investigation, the software was hiding there for months, sending videos and images that reported to the criminal group - which included Russians, Chinese and Europeans - as the bank performed its daily operations.
')
Then, the attackers posed as bank employees, not only including money dispensers, but also transferring millions of dollars from banks to Russia, Japan, Switzerland, the United States and Holland to bogus accounts.
The report, which is scheduled to be published on Monday and submitted to The New York Times in advance, Kaspersky Lab says that the scale of this attack on more than 100 banks and other financial organizations in 30 countries could make this one of the largest bank robberies in history - and yet devoid of the usual signs of robbery.
The Lab says that due to non-disclosure agreements with affected banks, it cannot name them. The US White House and the FBI were notified of what they found, but they say it will take time to confirm the data and to estimate the losses.
The company claims that, through its customers, it received evidence of theft of $ 300 million from its customers, and believes that total losses could be three times higher. But this estimate is impossible to verify, because the size of transactions in the theft was limited to $ 10 million (although some banks have suffered repeatedly). In many cases, the amounts withdrawn were more modest, likely to go unnoticed.
Most of the affected organizations are located in Russia, but many also in Japan, the United States and Europe.
So far, no bank has recognized the theft - a typical problem that Obama drew attention to on Friday when he visited the first White House Summit on Cyber ​​Security and Consumer Protection, held at Stanford University. He spoke in favor of adopting a law that would require public disclosure of information about any hack in which personal or financial information was stolen.
But a consortium warning banks about malicious activity — the Center for Analysis and Information Exchange between Financial Services — said in a statement: “Our participants are aware of this activity. We spread information about this attack among our participants, ”as well as“ some briefings were held by law enforcement agencies. ”
The Association of American Bankers declined to comment, and its leader, Douglas Johnson, said the group would consider the consortium’s statement the only comment. Interpol investigators said their Singapore cybercrime coordinating the investigation together with the law enforcement agencies of the affected countries. The Dutch Dutch High Tech Crime Unit, a division of the national police, was also notified, investigating some of the most complex financial cybercrime.
The silence around the investigation seems to be caused in part by the reluctance of banks to admit that their systems were so vulnerable, and partly by the fact that the attacks continue.
Chris Doggett, managing director of the North American office of Kaspersky Lab in Boston, said that the “Carbanak faction”, named for the malware used, shows an increase in cyber attacks on financial companies.
“This is probably the most difficult attack in history in terms of tactics and methods used by cybercriminals to go unnoticed,” he said.
As in the case of the recent attack on Sony Pictures, which Obama once again called the work of North Korea on Friday, the crackers were very patient, having placed the tracking software on the computers of the system administrators and watched their actions for months. Evidence suggests that in this case, the attackers did not represent the country, but a group of cybercriminals.
But the question remains how a scam of this magnitude could go on for almost two years without banks, regulators, or law enforcement agencies catching up. Investigators say that the answers may be hidden in the method of hackers.
In many ways, this hacking began as standard. Cybercriminals sent infected letters to their victims — news or a message allegedly coming from a colleague — as bait. When bank employees clicked, they unintentionally downloaded the malicious code. This allowed the hackers to spread through the bank’s network until they reached the staff who managed the money transfer systems or remotely controlled the ATMs.
Then, according to Kaspersky employees, the attackers installed the RAT - remote access tool - which allowed receiving videos and screenshots from employees' computers.
“The goal was to take over their actions,” said Sergey Golovanov by telephone from Russia, who was leading the investigation at Kaspersky Lab, on the phone from Russia. “In this case, everything looks like normal, everyday transactions.”
The criminals have spent a lot of effort to study the characteristics of each bank's system, while at the same time setting up accounts in banks in the US and China to transfer money to them. Two people, informed about the progress of the investigation, say that accounts were created in JP Morgan Chase and the Agricultural Bank of China. None of the banks responded to the request for comment.
Kaspersky Lab was founded in 1997 and became one of the most famous examples of high-tech Russian exports, but its market share in the United States was hampered by its origin. Its founder, Eugene Kaspersky, studied cryptography at the university, which was partially funded by the KGB and the Ministry of Defense, and worked for the Russian army before opening his company.
When it came time to cash in on their actions - a period that the investigation calls varying from two to four months - the criminals used several ways. In some cases, they used online banking systems to transfer money to their accounts. In other cases, commanding the ATM to give money where one of the accomplices was waiting.
But the largest sums were stolen by breaking into banking accounting systems and manipulating balances. By posing as employees, the criminals artificially inflated the balance — for example, an account with $ 1,000 was processed to appear as an account with $ 10,000. Then $ 9,000 was withdrawn from the bank. The real account holder could not suspect anything, and the bank needed time to figure out what had happened.
“We found that many banks check accounts only once every 10 hours or so,” Golovanov said. “So, in the interim, you can manage to change numbers and withdraw money.”
The success of hackers is impressive. As stated by "Kaspersky Lab", one of the companies that are its customers, has lost $ 7.3 million through ATMs alone. In some cases, money was transferred through the SWIFT system used by banks for international transfers. It has long been the goal of hackers - and just as long it was followed by the special services.
Doggett compared most cybercrimes with Bonn and Clyde-style crimes when robbers rush in, seize everything they can and run. And in this case, he said, everything is "rather like the" Ocean's 11 ".
But when Kaspersky Lab was called upon to investigate, she discovered that the device that had “branded off” was the least of the bank’s problems.
On banking computers, with the help of which employees made daily transfers and kept accounts, there was malicious software that allowed cybercriminals to record every step. According to the results of the investigation, the software was hiding there for months, sending videos and images that reported to the criminal group - which included Russians, Chinese and Europeans - as the bank performed its daily operations.
')
Then, the attackers posed as bank employees, not only including money dispensers, but also transferring millions of dollars from banks to Russia, Japan, Switzerland, the United States and Holland to bogus accounts.
The report, which is scheduled to be published on Monday and submitted to The New York Times in advance, Kaspersky Lab says that the scale of this attack on more than 100 banks and other financial organizations in 30 countries could make this one of the largest bank robberies in history - and yet devoid of the usual signs of robbery.
The Lab says that due to non-disclosure agreements with affected banks, it cannot name them. The US White House and the FBI were notified of what they found, but they say it will take time to confirm the data and to estimate the losses.
The company claims that, through its customers, it received evidence of theft of $ 300 million from its customers, and believes that total losses could be three times higher. But this estimate is impossible to verify, because the size of transactions in the theft was limited to $ 10 million (although some banks have suffered repeatedly). In many cases, the amounts withdrawn were more modest, likely to go unnoticed.
Most of the affected organizations are located in Russia, but many also in Japan, the United States and Europe.
So far, no bank has recognized the theft - a typical problem that Obama drew attention to on Friday when he visited the first White House Summit on Cyber ​​Security and Consumer Protection, held at Stanford University. He spoke in favor of adopting a law that would require public disclosure of information about any hack in which personal or financial information was stolen.
But a consortium warning banks about malicious activity — the Center for Analysis and Information Exchange between Financial Services — said in a statement: “Our participants are aware of this activity. We spread information about this attack among our participants, ”as well as“ some briefings were held by law enforcement agencies. ”
The Association of American Bankers declined to comment, and its leader, Douglas Johnson, said the group would consider the consortium’s statement the only comment. Interpol investigators said their Singapore cybercrime coordinating the investigation together with the law enforcement agencies of the affected countries. The Dutch Dutch High Tech Crime Unit, a division of the national police, was also notified, investigating some of the most complex financial cybercrime.
The silence around the investigation seems to be caused in part by the reluctance of banks to admit that their systems were so vulnerable, and partly by the fact that the attacks continue.
Chris Doggett, managing director of the North American office of Kaspersky Lab in Boston, said that the “Carbanak faction”, named for the malware used, shows an increase in cyber attacks on financial companies.
“This is probably the most difficult attack in history in terms of tactics and methods used by cybercriminals to go unnoticed,” he said.
As in the case of the recent attack on Sony Pictures, which Obama once again called the work of North Korea on Friday, the crackers were very patient, having placed the tracking software on the computers of the system administrators and watched their actions for months. Evidence suggests that in this case, the attackers did not represent the country, but a group of cybercriminals.
But the question remains how a scam of this magnitude could go on for almost two years without banks, regulators, or law enforcement agencies catching up. Investigators say that the answers may be hidden in the method of hackers.
In many ways, this hacking began as standard. Cybercriminals sent infected letters to their victims — news or a message allegedly coming from a colleague — as bait. When bank employees clicked, they unintentionally downloaded the malicious code. This allowed the hackers to spread through the bank’s network until they reached the staff who managed the money transfer systems or remotely controlled the ATMs.
Then, according to Kaspersky employees, the attackers installed the RAT - remote access tool - which allowed receiving videos and screenshots from employees' computers.
“The goal was to take over their actions,” said Sergey Golovanov by telephone from Russia, who was leading the investigation at Kaspersky Lab, on the phone from Russia. “In this case, everything looks like normal, everyday transactions.”
The criminals have spent a lot of effort to study the characteristics of each bank's system, while at the same time setting up accounts in banks in the US and China to transfer money to them. Two people, informed about the progress of the investigation, say that accounts were created in JP Morgan Chase and the Agricultural Bank of China. None of the banks responded to the request for comment.
Kaspersky Lab was founded in 1997 and became one of the most famous examples of high-tech Russian exports, but its market share in the United States was hampered by its origin. Its founder, Eugene Kaspersky, studied cryptography at the university, which was partially funded by the KGB and the Ministry of Defense, and worked for the Russian army before opening his company.
When it came time to cash in on their actions - a period that the investigation calls varying from two to four months - the criminals used several ways. In some cases, they used online banking systems to transfer money to their accounts. In other cases, commanding the ATM to give money where one of the accomplices was waiting.
But the largest sums were stolen by breaking into banking accounting systems and manipulating balances. By posing as employees, the criminals artificially inflated the balance — for example, an account with $ 1,000 was processed to appear as an account with $ 10,000. Then $ 9,000 was withdrawn from the bank. The real account holder could not suspect anything, and the bank needed time to figure out what had happened.
“We found that many banks check accounts only once every 10 hours or so,” Golovanov said. “So, in the interim, you can manage to change numbers and withdraw money.”
The success of hackers is impressive. As stated by "Kaspersky Lab", one of the companies that are its customers, has lost $ 7.3 million through ATMs alone. In some cases, money was transferred through the SWIFT system used by banks for international transfers. It has long been the goal of hackers - and just as long it was followed by the special services.
Doggett compared most cybercrimes with Bonn and Clyde-style crimes when robbers rush in, seize everything they can and run. And in this case, he said, everything is "rather like the" Ocean's 11 ".
Source: https://habr.com/ru/post/250597/
All Articles