A group of hackers were able to penetrate at least 30 financial institutions around the world and steal upwards of one billion dollars, making this attack one of the most advanced the world has yet seen.
According to a report published by security firm Kaspersky Lab and sent to the New York Times, the cyber criminals, which have since been named the “Carbanak cybergang,” used phishing emails to first penetrate the banks’ computer networks as many as two years ago.
Upon successful infiltration, the hackers moved laterally across the banks’ networks until they located the employees responsible for administering cash transfer systems or remotely connected ATMs. They then installed a remote access tool (RAT) onto the computer networks, allowing them to take screenshots of employees’ computers.
In the meantime, the Carbanak cybergang set up at least two fake bank accounts, one at JPMorgan Chase and another at the Agricultural Bank of China, in preparation for their next move.
Kaspersky Lab was first alerted to the hacker group when the security service of an Eastern European bank reported that its ATMs were dispensing money to a thief who, according to Sergey Lozhkin, a researcher at the security firm, was not pressing any buttons and did not even have an ATM card.
Subsequent research conducted by Kaspersky has revealed that the hackers withdrew at least $300 million from the affected banks using a variety of methods. For some, they used money mules to transfer funds to their accounts via the Society for Worldwide Interbank Financial Telecommunication, or Swift; for others, the criminals hacked into the banks’ accounting systems, inflated the reported account balances, and withdrew the excess funds before anyone knew what had happened.
Most of the hacks occurred in Russia, but others occurred in the United States, Japan, Switzerland, and the Netherlands.
The hackers’ means of attack mark a new stage in cyber theft, remarks Kaspersky Lab in its report, to the extent that “malicious users [can] steal money directly from banks and avoid targeting end users.”
Kaspersky Lab has a non-disclosure agreement with all of the affected banks to protect their identities as the security firm proceeds with its investigation.
Initial reports suggest some of the attacks may still be ongoing, which means that the total reported losses attributable to the cyber criminal group might increase.