In an isolated incident in late 2013, an ATM at Kiev started dispensing cash randomly without any human interaction; much to the surprise and pleasure of customers present there swiftly collected the cash.
An investigation by Kaspersky Lab, a Russian cybersecurity firm, confirmed that it was not the bank’s problem; rather the bank’s internal computers had been breached by malware that recorded every move of the bank employees. The malicious malware breached the banks’ system for months, tracking the working process of the employees, sending back video feeds to hackers.
The cyber criminals impersonated the bank officers and turned on various cash machines besides transferring millions of dollars from banks across Russia, Japan, Switzerland, the US and the Netherlands into various dummy accounts in other countries.
The attack started with infected emails, which when clicked by the bank employees downloaded a malicious code. The code crawled across the bank’s network and identified employees who controlled cash transfer systems.
The code also installed RAT (remote access tool) to capture videos and screenshots of employees’ computers to mimic their activities. The attackers then set up fake accounts in the United States and China to collect the transferred cash. Two of the banks with fake accounts were J.P. Morgan Chase and the Agricultural Bank of China.
In other cases, they ordered the bank’s ATM to dispense cash where one of their associates would be waiting to collect it.
One Kaspersky client lost $7.3 million through ATM withdrawals alone. The theft could be one of the largest bank thefts ever spanning across 100 banks in 30 countries, according to the Kaspersky Lab report to be published on Monday in the New York Times.
A rough estimate puts the amount lost to around $300 million, but it is quite possible that the amount could be three times more than the estimate. However, it is impossible to verify the amount lost, said the report.
The nondisclosure agreements with the banks do not allow the cybersecurity firm to name them, who have briefed the White House and the FBI about the breach. None of the affected banks has come forward acknowledging the theft. The silence could well be attributed to the bank’s reluctance to accept flaws with their security systems.
“Our members are aware of this activity. We have disseminated intelligence on this attack to the members. Some briefings were also provided by law enforcement entities,” said the Financial Services Information Sharing and Analysis Center, an industry consortium that alerts banks to malicious activity.
The target countries from where the money was siphoned included Russia, Japan, Europe and the US. The attack “Carbank cybergang” named after the malware it deployed highlights increased the sophistication of cyber criminals.
“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” said Chris Dogget, the managing director of the Kaspersky North America office in Boston.