Bank Hackers Steal Millions via Malware
2015-02-14 20:25:16.866 GMT
By DAVID E. SANGER and NICOLE PERLROTH
(New York Times) -- PALO ALTO, Calif. — In late 2013, an
A.T.M. in Kiev started dispensing cash at seemingly random times
of day. No one had put in a card or touched a button. Cameras
showed that the piles of money had been swept up by customers who
appeared lucky to be there at the right moment.
But when a Russian cybersecurity firm, Kaspersky Lab, was
called to Ukraine to investigate, it discovered that the errant
machine was the least of the bank’s problems.
The bank’s internal computers, used by employees who process
daily transfers and conduct bookkeeping, had been penetrated by
malware that allowed cybercriminals to record their every move.
The malicious software lurked for months, sending back video
feeds and images that told a criminal group — including Russians,
Chinese and Europeans — how the bank conducted its daily
routines, according to the investigators.
Then the group impersonated bank officers, not only turning
on various cash machines, but also transferring millions of
dollars from banks in Russia, Japan, Switzerland, the United
States and the Netherlands into dummy accounts set up in other
countries.
In a report to be published on Monday, and provided in
advance to The New York Times, Kaspersky Lab says that the scope
of this attack on more than 100 banks and other financial
institutions in 30 nations could make it one of the largest bank
thefts ever — and one conducted without the usual signs of
robbery.
The Moscow-based firm says that because of nondisclosure
agreements with the banks that were hit, it cannot name them.
Officials at the White House and the F.B.I. have been briefed on
the findings, but say that it will take time to confirm them and
assess the losses.
Kaspersky Lab says it has seen evidence of $300 million in
theft from clients, and believes the total could be triple that.
But that projection is impossible to verify because the thefts
were limited to $10 million a transaction, though some banks were
hit several times. In many cases the hauls were more modest,
presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in
Japan, the United States and Europe.
No bank has come forward acknowledging the theft, a common
problem that President Obama alluded to on Friday when he
attended the first White House summit meeting on cybersecurity
and consumer protection at Stanford University. He urged passage
of a law that would require public disclosure of any breach that
compromised personal or financial information.
But the industry consortium that alerts banks to malicious
activity, the Financial Services Information Sharing and Analysis
Center, said in a statement that “our members are aware of this
activity. We have disseminated intelligence on this attack to the
members,” and that “some briefings were also provided by law
enforcement entities.”
The American Bankers Association declined to comment, and an
executive there, Douglas Johnson, said the group would let the
financial services center’s statement serve as the only comment.
Investigators at Interpol said their digital crimes
specialists in Singapore were coordinating an investigation with
law enforcement in affected countries. In the Netherlands, the
Dutch High Tech Crime Unit, a division of the Dutch National
Police that investigates some of the world’s most advanced
financial cybercrime, has also been briefed.
The silence around the investigation appears motivated in
part by the reluctance of banks to concede that their systems
were so easily penetrated, and in part by the fact that the
attacks appear to be continuing.
The managing director of the Kaspersky North America office
in Boston, Chris Doggett, argued that the “Carbanak cybergang,”
named for the malware it deployed, represents an increase in the
sophistication of cyberattacks on financial firms.
“This is likely the most sophisticated attack the world has
seen to date in terms of the tactics and methods that
cybercriminals have used to remain covert,” Mr. Doggett said.
As in the recent attack on Sony Pictures, which Mr. Obama
said again on Friday had been conducted by North Korea, the
intruders in the bank thefts were enormously patient, placing
surveillance software in the computers of system administrators
and watching their moves for months. The evidence suggests this
was not a nation state, but a specialized group of
cybercriminals.
But the question remains how a fraud of this scale could
have proceeded for nearly two years without banks, regulators or
law enforcement catching on. Investigators say the answers may
lie in the hackers’ technique.
In many ways, this hack began like any other. The
cybercriminals sent their victims infected emails — a news clip
or message that appeared to come from a colleague — as bait. When
the bank employees clicked on the email, they inadvertently
downloaded malicious code. That allowed the hackers to crawl
across a bank’s network until they found employees who
administered the cash transfer systems or remotely connected
A.T.M.s.
Then, Kaspersky’s investigators said, the thieves installed
a “RAT”— remote access tool — that could capture video and
screenshots of the employees’ computers.
“The goal was to mimic their activities,” said Sergey
Golovanov, who conducted the inquiry for Kaspersky Lab. “That
way, everything would look like a normal, everyday transaction,”
he said in a telephone interview from Russia.
The attackers took great pains to learn each bank’s
particular system, while they set up fake accounts at banks in
the United States and China that could serve as the destination
for transfers. Two people briefed on the investigation said that
the accounts were set up at J.P. Morgan Chase and the
Agricultural Bank of China. Neither bank returned requests for
comment.
Kaspersky Lab was founded in 1997 and has become one of
Russia’s most recognized high-tech exports, but its market share
in the United States has been hampered by its origins. Its
founder, Eugene Kaspersky, studied cryptography at a high school
that was co-sponsored by the K.G.B. and Russia’s Defense
Ministry, and he worked for the Russian military before starting
his firm.
When the time came to cash in on their activities — a period
investigators say ranged from two to four months — the criminals
pursued multiple routes. In some cases, they used online banking
systems to transfer money to their accounts. In other cases, they
ordered the banks’ A.T.M.s to dispense cash to terminals where
one of their associates would be waiting.
But the largest sums were stolen by hacking into a bank’s
accounting systems and briefly manipulating account balances.
Using the access gained by impersonating the banking officers,
the criminals first would inflate a balance — for example, an
account with $1,000 would be altered to show $10,000. Then $9,000
would be transferred outside the bank. The actual account holder
would not suspect a problem, and it would take the bank some time
to figure out what had happened.
“We found that many banks only check the accounts every 10
hours or so,” Mr. Golovanov of Kaspersky Lab said. “So in the
interim, you could change the numbers and transfer the money.”
The hackers’ success rate was impressive. One Kaspersky
client lost $7.3 million through A.T.M. withdrawals alone, the
firm says in its report. Another lost $10 million from the
exploitation of its accounting system. In some cases, transfers
were run through the system operated by the Society for Worldwide
Interbank Financial Telecommunication, or Swift, which banks use
to transfer funds across borders. It has long been a target for
hackers — and long been monitored by intelligence agencies.
Mr. Doggett likened most cyberthefts to “Bonnie and Clyde”
operations, in which attackers break in, take whatever they can
grab, and run. In this case, Mr. Doggett said, the heist was
“much more ‘Ocean’s Eleven.’ ”
Copyright 2015 The New York Times Company
-0- Feb/14/2015 20:25 GMT
2015-02-14 20:25:16.866 GMT
By DAVID E. SANGER and NICOLE PERLROTH
(New York Times) -- PALO ALTO, Calif. — In late 2013, an
A.T.M. in Kiev started dispensing cash at seemingly random times
of day. No one had put in a card or touched a button. Cameras
showed that the piles of money had been swept up by customers who
appeared lucky to be there at the right moment.
But when a Russian cybersecurity firm, Kaspersky Lab, was
called to Ukraine to investigate, it discovered that the errant
machine was the least of the bank’s problems.
The bank’s internal computers, used by employees who process
daily transfers and conduct bookkeeping, had been penetrated by
malware that allowed cybercriminals to record their every move.
The malicious software lurked for months, sending back video
feeds and images that told a criminal group — including Russians,
Chinese and Europeans — how the bank conducted its daily
routines, according to the investigators.
Then the group impersonated bank officers, not only turning
on various cash machines, but also transferring millions of
dollars from banks in Russia, Japan, Switzerland, the United
States and the Netherlands into dummy accounts set up in other
countries.
In a report to be published on Monday, and provided in
advance to The New York Times, Kaspersky Lab says that the scope
of this attack on more than 100 banks and other financial
institutions in 30 nations could make it one of the largest bank
thefts ever — and one conducted without the usual signs of
robbery.
The Moscow-based firm says that because of nondisclosure
agreements with the banks that were hit, it cannot name them.
Officials at the White House and the F.B.I. have been briefed on
the findings, but say that it will take time to confirm them and
assess the losses.
Kaspersky Lab says it has seen evidence of $300 million in
theft from clients, and believes the total could be triple that.
But that projection is impossible to verify because the thefts
were limited to $10 million a transaction, though some banks were
hit several times. In many cases the hauls were more modest,
presumably to avoid setting off alarms.
The majority of the targets were in Russia, but many were in
Japan, the United States and Europe.
No bank has come forward acknowledging the theft, a common
problem that President Obama alluded to on Friday when he
attended the first White House summit meeting on cybersecurity
and consumer protection at Stanford University. He urged passage
of a law that would require public disclosure of any breach that
compromised personal or financial information.
But the industry consortium that alerts banks to malicious
activity, the Financial Services Information Sharing and Analysis
Center, said in a statement that “our members are aware of this
activity. We have disseminated intelligence on this attack to the
members,” and that “some briefings were also provided by law
enforcement entities.”
The American Bankers Association declined to comment, and an
executive there, Douglas Johnson, said the group would let the
financial services center’s statement serve as the only comment.
Investigators at Interpol said their digital crimes
specialists in Singapore were coordinating an investigation with
law enforcement in affected countries. In the Netherlands, the
Dutch High Tech Crime Unit, a division of the Dutch National
Police that investigates some of the world’s most advanced
financial cybercrime, has also been briefed.
The silence around the investigation appears motivated in
part by the reluctance of banks to concede that their systems
were so easily penetrated, and in part by the fact that the
attacks appear to be continuing.
The managing director of the Kaspersky North America office
in Boston, Chris Doggett, argued that the “Carbanak cybergang,”
named for the malware it deployed, represents an increase in the
sophistication of cyberattacks on financial firms.
“This is likely the most sophisticated attack the world has
seen to date in terms of the tactics and methods that
cybercriminals have used to remain covert,” Mr. Doggett said.
As in the recent attack on Sony Pictures, which Mr. Obama
said again on Friday had been conducted by North Korea, the
intruders in the bank thefts were enormously patient, placing
surveillance software in the computers of system administrators
and watching their moves for months. The evidence suggests this
was not a nation state, but a specialized group of
cybercriminals.
But the question remains how a fraud of this scale could
have proceeded for nearly two years without banks, regulators or
law enforcement catching on. Investigators say the answers may
lie in the hackers’ technique.
In many ways, this hack began like any other. The
cybercriminals sent their victims infected emails — a news clip
or message that appeared to come from a colleague — as bait. When
the bank employees clicked on the email, they inadvertently
downloaded malicious code. That allowed the hackers to crawl
across a bank’s network until they found employees who
administered the cash transfer systems or remotely connected
A.T.M.s.
Then, Kaspersky’s investigators said, the thieves installed
a “RAT”— remote access tool — that could capture video and
screenshots of the employees’ computers.
“The goal was to mimic their activities,” said Sergey
Golovanov, who conducted the inquiry for Kaspersky Lab. “That
way, everything would look like a normal, everyday transaction,”
he said in a telephone interview from Russia.
The attackers took great pains to learn each bank’s
particular system, while they set up fake accounts at banks in
the United States and China that could serve as the destination
for transfers. Two people briefed on the investigation said that
the accounts were set up at J.P. Morgan Chase and the
Agricultural Bank of China. Neither bank returned requests for
comment.
Kaspersky Lab was founded in 1997 and has become one of
Russia’s most recognized high-tech exports, but its market share
in the United States has been hampered by its origins. Its
founder, Eugene Kaspersky, studied cryptography at a high school
that was co-sponsored by the K.G.B. and Russia’s Defense
Ministry, and he worked for the Russian military before starting
his firm.
When the time came to cash in on their activities — a period
investigators say ranged from two to four months — the criminals
pursued multiple routes. In some cases, they used online banking
systems to transfer money to their accounts. In other cases, they
ordered the banks’ A.T.M.s to dispense cash to terminals where
one of their associates would be waiting.
But the largest sums were stolen by hacking into a bank’s
accounting systems and briefly manipulating account balances.
Using the access gained by impersonating the banking officers,
the criminals first would inflate a balance — for example, an
account with $1,000 would be altered to show $10,000. Then $9,000
would be transferred outside the bank. The actual account holder
would not suspect a problem, and it would take the bank some time
to figure out what had happened.
“We found that many banks only check the accounts every 10
hours or so,” Mr. Golovanov of Kaspersky Lab said. “So in the
interim, you could change the numbers and transfer the money.”
The hackers’ success rate was impressive. One Kaspersky
client lost $7.3 million through A.T.M. withdrawals alone, the
firm says in its report. Another lost $10 million from the
exploitation of its accounting system. In some cases, transfers
were run through the system operated by the Society for Worldwide
Interbank Financial Telecommunication, or Swift, which banks use
to transfer funds across borders. It has long been a target for
hackers — and long been monitored by intelligence agencies.
Mr. Doggett likened most cyberthefts to “Bonnie and Clyde”
operations, in which attackers break in, take whatever they can
grab, and run. In this case, Mr. Doggett said, the heist was
“much more ‘Ocean’s Eleven.’ ”
Copyright 2015 The New York Times Company
-0- Feb/14/2015 20:25 GMT