On February 16th, 2015, Kaspersky lab published a report titled “Carbanak APT – The Great Bank Robbery”, telling the story of a cyber attack campaign on numerous banks and financial institutions, spanning from late 2013, and resulting in an estimated cumulative losses of $1B. The attack has been dubbed by Media outlets such as CNN “the Ocean’s eleven of cyber strikes”.
As in many cases, the attack started with spear phishing, giving the attackers initial control of a bank employee computer. It followed by installation of a rather sophisticated modification of the Carberp backdoor, whose source code was for sale for $50k last year, and is now available for free at GitHub. The next phase included lateral movement through the victim’s network via discovery and exploit of internal servers through use of Windows and Linux tools including “legitimate” remote administration utility Ammyy and a Secure Shell (SSH) backdoor. These processes were accompanied by careful intelligence gathering, including collected video, audio and keyboard tracking from victim computers. This long process eventually enabled the attackers to penetrate money processing servers, financial accounts and ATM control, where they used tailor-made techniques to transfer funds and to dispense cash from ATMs into the hands of waiting money mules.
These long and careful attack processes and methods are similar to those used in state-sponsored cyber espionage APTs. What’s new here is that they are used by cyber-criminals to steal money directly from banks. The success of this campaign is likely a sign for more attacks to come. This is disturbing news; are financial institutions, or any corporations, ready for this?
Unfortunately, we are afraid the answer is largely no.