How Cyber Criminals Stole up to $1B from Financial Services Companies

It may be the largest bank robbery ever. A group of cyber criminals has stolen up to $1 billion globally, according a new report by Moscow-based cyber security firm Kaspersky Lab.

According to the findings, the cyber gang targeted more than 100 banks, financial institutions, electronic payment platforms and financial processing firms in 30 countries. And the threat is far from over. The hackers infiltrated banks’ internal systems first by sending employees spear phishing emails with attachments that masqueraded as official bank communications. The attachments exploited vulnerabilities in Microsoft Office 2003, 2007 and 2010, along with Microsoft Word. Hackers then installed malware known as Carbanak. In some cases, balances were inflated.   For months, Carbanak lurked and quietly recorded video of how bank employees authorized transactions and moved money throughout each company’s system. “That’s how criminals were able to educate themselves [with] video tutorials on how to deal with the internal banking software in a unique structure,” Sergey Golovanov, Kaspersky Lab’s principal security researcher, said in an interview. “This is something new and I was really surprised when I discovered that.” Hackers then seized control of ATM banking networks and ordered specific locations to dispense cash “where money mules were ready to collect it.” According to security camera footage reviewed by Kaspersky, criminals collected the cash from ATMs with no physical interaction with the machine. In many cases, the amount was relatively small to avoid detection, but Kaspersky Lab reported one victim lost $7.3 million due to ATM fraud. Cyber criminals also used the SWIFT financial network to transfer money out of bank accounts. Oracle databases were taken over to manipulate other accounts. In one online exploitation, $10 million was stolen from a victim. The exact location of the hackers is unclear. “There are indicators that point to a possible Chinese origin for the exploits,” Kaspersky’s report stated. “Obviously, all this could just be a red herring.” The victims are primarily Russian-speaking financial institutions. Companies in the United States, Japan, Switzerland, Germany and Ukraine were also popular targets. The prime motivation is cash, according to Golovanov. He said the cyber criminals were “really patient” and “interested not in secrets or property; they’re interested in the money.” Golovanov, who is working closely with companies affected by the malware, characterized the damage as “terrible.” The researchers are collaborating with Europol and Interpol to mitigate the damage. Stolen funds were transferred out of affected countries to China and the United States. “Usually, these advanced persistent threat (APT) attacks are used by states for state-sponsored attacks, when one nation is trying to steal the secrets of another nation,” Golovanov told Fox Business in an interview. “It was really surprising when we saw the same kind of techniques and the same vectors of attack during cyber-criminal activity.” At this time, Kaspersky Lab has confirmed $300 million in theft from its clients. However, it believes the total will reach $1 billion from ongoing investigations and unreported cases. So far, no U.S. bank has announced it has been hit by Carbanak. “We are aware of the report, and can confirm that we were not impacted by this malware,” J.P. Morgan Chase spokesperson Patricia Wexler said. Citi and Bank of America did not respond to requests for comment. The Financial Services Roundtable, the lobbying organization representing top U.S. financial firms including Wells Fargo, said it has been aware of Carbanak since early January and has notified its members. “At this point in time, we are unaware of incidences where this malware has harmed our member companies or their customers,” said John Carlson, executive vice-president for Technology Risk at BITS, the Financial Services Roundtable's technology and cybersecurity think tank. The threat, however, continues to evolve. Kaspersky Lab says the malware is still active and the hacking ring is expanding its operations to the Middle East, Asia and Africa.