Remote ATM control: Kaspersky Lab details $1bn online bank heist (EXCLUSIVE)

Reuters / Arnd Wiegmann
Internet security company Kaspersky Lab says the banking industry could be experiencing “a new era in cybercrime.” The company has been investigating a $1 billion attack on financial institutions by a sophisticated hacking group.

The IT security firm says the hackers from the Carabanak group used a complex virus system which was later named after them. It is not like the simple Trojan horse malware used to by-pass security systems, but something much more complex and unique, according to documents exclusively seen by RT.

Russian cyber-security company Kaspersky Lab was invited to look into the matter, after an ATM in the Ukrainian capital Kiev started giving out cash randomly without anyone inserting a card or touching any buttons in late 2013.

The attackers did not look to exploit weaknesses in the company’s software. Instead, they took screenshots of computers at 20-second intervals and were able to learn the victims’ internal procedures. They were then able to copy these and impersonate the victim in order to process fraudulent transactions.

Anton Shingarev, Chief of Staff at Kaspersky Lab, said the complex nature of the malware used was unprecedented and it was “the most highly sophisticated criminal attack we have ever seen.”

He added that the cyber-criminals used methods that were used by governments in the past, while each attack took approximately two months and around 10 criminals were working on a daily basis on it.

Kaspersky Lab said that most of the victims were located in Russia, the US, Germany, China and Ukraine. The hacking group targeted 30 banks. One customer lost in the region of $7.3 million because of ATM fraud, while another had $10 million stolen due to hackers entering the person’s online banking page.

The money would then be sent to accounts set up mainly in the US and China.

“They managed to get access to the whole banking system. They managed to remotely control ATM’s and they managed to transfer money from one account to another. Due to the extreme level of complexity, banks did not realize they were coming under attack,” Shingarev told RT.

Worryingly, the criminals were able to bypass advanced control and fraud detection systems, which the financial industry has been reliant on for years for internet security. The hackers went down another route to avoid these security systems by using industry-wide funds transfers (the SWIFT network), which would allow them to update the balances of those holding an account in the bank.

For example, the hackers could alter the data for an account that held $1,000 and add extra funds to make the balance $10,000. The criminals would then withdraw $9,000 bringing the balance back to $1,000. As the customer lost no money, he or she would be none the wiser and not raise any alarm.

The attackers were also not too greedy deliberately limiting the amount stolen from each victim to $10 million. This was to ensure that red flags were not raised and law enforcement agencies did not carry out a thorough investigation.

Geographical distribution of targets according to C2 data (image by Kaspersky Lab)

Kaspersky Lab says that little is known about the criminals, as they have now been detected and the IT security firm cannot reveal any details on them. They did mention that the criminals had been working for around two years and they did leave traces which Kaspersky Lab is now studying.

“It’s like an arms race. Security companies develop better protection and criminals develop better malware to bypass it,” Shingarev added.

The Carbanak malware used by the cyber-criminals proved to be very successful in helping the attackers steal around $1 billion. Kaspersky Lab is worried about the increasing sophistication of attacks.

“Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and the old exploits (for which patches have been disseminated) remain effective against larger companies. Attackers always use this minimal effort approach in order to bypass a victim ́s defenses,” a press release from the company stated.