Banks warned to brace for the coming storm as Carbanak malware steals $1 billion

Written by FinTech Futures
16th February 2015

How Carbanak works. [Click to enlarge]

Financial institutions are being urged to revisit their cyber-security following revelations that an online gang using the Carbanak malware stole up to $1 billion from banks in 30 countries around the world in a series of highly-sophisticated attacks over the last two years.

Details about the gang’s activities were revealed in a report by Kaspersky Lab at the weekend. The thefts were initiated using spear-phishing, using an infected Word document to download the Carbanak malware onto a targeted individual’s computer. The hackers then used their access to the network to see and record everything happening on the screens of the staff who serviced the cash transfer systems, before stealing the funds. The whole process took on average two to four months from infection to completion.

“These bank heists were surprising because it made no difference to the criminals what software the banks were using,” said Sergey Golovanov, principle security researcher at Kaspersky Lab’s global research and analysis team. “So even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.”

Funds were stolen from banks, e-payment systems and other financial institutions in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.

According to Kaspersky, the attackers were highly sophisticated, leaving some cash behind to mask their tracks. In some of the attacks, the hackers accessed accounting systems, artificially inflating account balances and then removing the extra amount. For example, if an account had £1,000, they would change its value to £10,000 and then remove £9,000 for themselves. The account holder would not suspect anything, since the original £1,000 is still there. In other attacks, the funds were transferred to banks in China or the US. The attackers also hijacked the ATM network, ordering specific ATMs to dispense cash at a specific time. At the pre-determined moment, one of the gang’s members would be waiting at the machine to collect the payment.

Security specialists have put forward a number of suggestions for how these kind of attacks might be mitigated in future. These include tighter control on communication channels, encrypting data at the data field level (thus rendering it useless to an attacker) and more monitoring and cross-industry coordination, as well as data sanitisation, in which incoming files are converted into another format, rendering the attacker script useless.

“The hackers were able to gain access to the banking systems by sending out emails to banking employees with a malware laced Word attachment, which when opened, executed a backdoor for the attackers,” said Mike Spykerman, VP of product management at Opswat. “The problem with these attacks is that because they are targeted to only a small number of individuals, the malware can get past anti-virus engines. However, the Word files could have been converted to for instance PDF files, removing the exploit that the attackers had placed in the Word file.”

Others were more pessimistic, and warned that solutions, while possible, would be difficult to implement since they required significant cooperation between banks, regulators and customers. They also worried that the Carbanak attack is a prelude to further harmful attacks in future.

“The fundamental big concern this type of attack raises is that security monitoring cannot just test for vulnerabilities that are obvious and noticeable such as distributed denial of service, where a website is shut down by two or more hackers, and data theft,” said Mark Skilton, professor of practice and cyber security researcher at Warwick Business School. “ This is a cyber-threat of massive proportions, on an industrial scale, where eavesdropping and small changes need to be detected. I suspect this is just the tip of the iceberg of what may have been stolen and we may never know the full extent of the theft.

“It is possible to do several things about this from coordinated cyber intelligence to specialised cyber-threat monitoring,” he added. “It requires a much more rigorous monitoring and coordinated response system between banks and industry to combat the cyber threats that can move and work across, and between them, in a virtual world. This is also not just a banking issue as potentially any website and company is a target.”

For Mark Bower, VP product management at Voltage Security, the key issue is to use high-quality encryption on the data at the core of the business. “If the data driving transactions, ledgers, and balances is encrypted at the data field level with modern format-preserving encryption methods, as opposed to the storage level encryption which does not mitigate these threats, the data can be securely armoured so that data tampering without invoking multiple alarms or errors when it is manipulated is practically impossible,” he said. “This technique is already in place in leading banks, payment processors and healthcare networks today as a primary defence against advanced threats and the data breach risks they entail.”

The perception that hackers will inevitably be able to breach a company’s outer defences was widespread. However, some security experts believe this does not necessarily mean large losses are inevitable. Attackers are vulnerable at the point of entry, since their initial moves may be detected as hostile. Even if this is not the case, their access once in can also be restricted, preventing them from carrying out a complex attack.

“Enterprises need to increasingly lock down the communications and patterns of their server, lower the attack surface available through open ports and communications channels, and reduce the lateral spread of attacks,” added Alan Cohen, CCO at Illumio. “Modern security teams know hackers will get in. So, they watch them. When you reduce the real estate that the hackers have the ability to move in, it also reduces the overhead on the security teams who are watching them so they have a higher probability of catching issues just by virtue of having less attack space to monitor. It’s like having a choice to fight a battle with your enemy on an open field where they could outflank you, or pushing them into a narrow canyon where you have the high ground. The probability of winning the battle increases.”

The full Kaspersky report can be read here.