According to researchers, hackers have hit more than 100 financial institutions in 30 countries.
In what would appear to be a heist right out of a Hollywood script, a group of digital thieves have carried out malware attacks that have stolen at least $300 million from banks and other financial institutions in 30 countries. The breach could prove to be one of, if not, the largest bank thefts ever, according to The New York Times.
Kaspersky Lab, a Russia-based cybersecurity firm that investigated the string of thefts, has published a report on its findings. Based on The Times article, researchers discovered that the hackers — which have been dubbed the “Carbanak cybergang” — hit more than 100 establishments dating back to 2013. While the band of cyber criminals focused primarily on banks in Russia, millions of dollars were also taken from those in Japan, the Netherlands, Switzerland and the United States as well. The money was transferred to bank accounts around the world in small-value amounts to avoid detection.
The amount that Kaspersky has evidence of could potentially be three times more than initial projections. What’s worse, the firm says that the attacks may still be taking place. “That projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.”
To carry out the crimes, the report cited that the hackers sent emails containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank’s administrative computer. Programs installed by the malware recorded keystrokes and took screenshots of the bank’s computers, so that hackers could learn bank procedures. They also enabled the criminals to control the banks’ computers remotely. By mimicking the bank procedures they had learned, the group directed the banks’ computers to steal money in a variety of ways.
Hackers managed to steal the money in all sorts of creative ways, Kaspersky Managing Director Christopher Doggett revealed. For instance, the group managed to take $7.3 million by reprogramming a single bank’s ATMs, while another bank lost $10 million from its hacked online platform alone. The hackers were deep enough in the computer systems at banks to obtain sensitive customer information, as well managed to acquire the secret keys that ATMs use to make sure your PIN is valid, Kaspersky added.
“In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.”
At the moment, both the White House and FBI have been briefed on the researcher’s findings, and Interpol is coordinating an investigation. This incident follows last year’s news of a cyber group implementing a piece of Backdoor.MSIL.Tyupkin malware to steal millions in cash from ATMs around the world — without having to use a credit or debit card. Kaspersky Lab had discovered this security breach as well.
Kaspersky researchers have traced the crime back to groups in Russia, China and Eastern Europe, and noted that they mainly targeted Russian-speaking banks with malware-laced emails in Russian.
“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” said Sanjay Virmani, Director of Interpol’s Digital Crime Centre. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”
Could this have been mitigated? Had tiny, inexpensive and ultra-secure hardware CryptoAuthentication devices been implemented, each time the software booted, it would have been checked for authenticity. Every time. No exceptions. Even the slightest deviance from the original code would be detected by the CryptoAuthentication protected system and the bad code would be unable to load. If the bad code doesn’t load, the account information cannot get into the hands of thieves, and the robberies could not happen. Period.
”The protection provided by CryptoAuthentication is built directly into the device, and it is secured in hardened, tested hardware. Hardware protection beats software protection every time. That is because software is always subject to bugs, tampering and malware, just as these attacks are proving. Again and again and again,” explained Atmel resident security expert Bill Boldt.
The defense mechanism proposed here is extremely straightforward, and goes by the unimaginative yet highly descriptive name of “Secure Boot.” Though simple, given that it is hardware-based, it is incredibly strong.
“And, that is the lesson,” Boldt adds. “One would think that financial institutions should know by now that they need to harden the targets with hardware, and not leave themselves and their customers exposed.”
Interested in learning more about the attack? You can read the entire New York Times writeup here. Meanwhile, with security at our core, Atmel’s hardware-based solutions can protect every system and embedded design. Start safeguarding today.