Although he denied saying it, infamous bank robber Willie Sutton is quoted as answering the question “Why do you rob banks?” with “because that’s where the money is.” Whether or not he said it, it makes sense, and it seems a gang of cybercriminals has been following the same premise for the past few years, raking in approximately a billion dollars that they’ve stolen from as many as a hundred banks and other financial institutions throughout the world.
The details were revealed this week in a report from Kaspersky Labs, which first got involved in tracking down how the attacks were happening back in 2013 when an automatic teller machine in Kiev was compromised in a high profile incident in which the ATM began to dispense money without any user action.
Targeting banks themselves, rather than their users, seems logical but there are also obvious drawbacks. As in Sutton’s day, banks typically have tighter security than most potential victims, precisely because that’s where so much of the money is. It takes a very bold and a very sophisticated criminal – or in this case, criminal network – to go straight to the source in this way and be able to bypass its security systems. Because these attacks didn’t involve compromising users or taking advantage of user laxity regarding security, there is little that the end users could do to prevent them.
The group of criminals responsible for these attacks, with members spread across Russia, China and Ukraine, certainly fit that description. Kaspersky calls the gang Carbanak, and they have worked together to attack financial institutions in as many as 30 different countries, including the United States and Canada.
The scope of the attacks has been like something out of the movies, with the attackers able to infiltrate the banks’ systems and transfer funds between different accounts as well as taking control of ATMs remotely. The method used to penetrate the systems began routinely enough, with the sending of infected email disguised to appear to be from a trusted coworker. After that, it gets more sophisticated; the criminals were able to use RAT (remote access tool) malware to conduct video surveillance and capture screenshots, and record all of the transactions made by bank employees as they processed transfers and then glean from that information regarding how the process worked. They pretended to be officers of the banks and they set up dummy accounts in various countries, where they transferred money taken from the victim accounts.
An ingenuous part of the plan involved transferring money into users’ accounts, then making withdrawals so that the balance returned to the expected amount, so that most users would never even notice that anything had happened and the users themselves didn’t suffer any loss (and thus were less likely to report the wayward transaction even if they did notice it). The criminals also limited the individual transactions to no more than $10 million, which – although that might seem like a noticeable amount to most of us – allowed them to fly under the radar and avoid setting off alarms in the banking software.
According to Kaspersky, this prolonged attack qualifies as one of the biggest bank thefts in history (it isn’t legally classified as a robbery because the offense of robbery requires a physical threat or assault to accompany the theft). The banking industry itself has been somewhat closed-mouth; none of the banks that were affected has admitted to being a target and there is no U.S. law at this time requiring public disclosure when a breach of this nature occurs. The American Bankers Association isn’t talking about it, either. Kaspersky can’t reveal the names of the banks due to non-disclosure agreements. Law enforcement agencies are investigating; the FBI has reportedly been briefed and Interpol has its digital crimes investigators on the case.
There are several troubling aspects to this case. Not knowing which banks were hit is a bit unnerving for bank customers, but probably the most concerning thing is the length of time over which the attacks were carried about without being detected. One thing is certain: this is more evidence that cyber criminals are becoming better at what they do, and are increasingly formidable foes as they develop new ways to get into even the most high security networks.