Using spear phishing attacks to compromise financial workers’ systems, a gang of cyber-criminals has stolen hundreds of millions of dollars from banks in Russia, Ukraine, China, Germany and the United States during a two-year crime spree, security firm Kaspersky Lab stated in a report published on Feb. 16.
The cyber-thieves sent malware-laden documents to bank employees, which—when opened– would attempt to exploit vulnerabilities in Microsoft Office or the Windows control panel. Following a compromise, the attackers sought information on a compromised bank’s money-processing services, ATMs and financial accounting practices, researchers said.
The attackers managed to control systems inside of 100 banks, stealing money from more than half of the financial institutions, including causing $7.3 million to be dispensed by compromised ATMs at one bank and using another company’s financial system to transfer $10 million, Kaspersky researchers stated in the report.
“ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules,” the researchers stated in a blog post summarizing the research. “The SWIFT network was used to transfer money out of the organization and into criminals’ accounts; and databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.”
In each instance, the criminals would take two to four months to observe a compromised bank before cashing out. The widespread operation, dubbed Carbanak by Kaspersky for the malware used in the crimes, is ongoing the firm stated.
Kaspersky originally became involved when researching an attack on a Ukrainian financial institution, which resulted in a massive effort with law enforcement and other organizations to track the attackers.
While the company started investigating a Ukrainian incident, new incidents quickly appeared at banks in Russia and Eastern European countries. Data from command-and-control servers suggest that financial institutions in China, Germany and the United States were also affected. So far, no banks have come forward to confirm attacks on their networks, according to the New York Times, which obtained an early copy of the report on Saturday.
While Kaspersky announced its research at its Security Analyst Summit in Cancun, Mexico on Feb. 16, much of the information about the criminals’ campaign had already been described in a December 2014 report by FoxIT and Group-IB. While Kaspersky and other antivirus (AV) companies call the malware used by the criminals Carbanak, Fox-IT and Group-IB referred to the code by the same name as the criminals: Anunak.
“Basically Anunak is the name the malware author gave to the main malware used in these attacks,” Ronald Prins, Fox-IT founder and CTO, said in a statement. “Carbanak … is a combination of the words ‘Anunak’ and ‘Carberp,’ as the Anunak malware has used code from Carberp.”
While Kaspersky has claimed that attacks are ongoing, Fox-IT’s Prins concluded that the attacks have died down since late last year.
“Since early December, the group has decreased their activities and might now have even stopped entirely,” Prins said. “The exact reason for their break remains unclear, but was already prior to the report Group-IB and Fox-IT released. We have seen several activities which might be somewhat related and we’re investigating these.”