How 100 Banks Got Hacked And Lost $900 Million

Over 100 banks worldwide have been hit in a cyberheist that Russian cybersecurity firm Kaspersky Lab estimates could have netted as much as $900 million in stolen funds.

The massive theft was discovered in late 2013 when an ATM in Kiev went crazy and started dispensing cash at apparently random intervals throughout the day, despite the fact that no one had touched the machine. Further investigation by Kaspersky indicated that a cash machine gone wild and dropping piles of cash with little-to-no prompting was actually the absolute least of the bank’s problems. The bank’s real issue was that its internal computers had been compromised by malware.

That malware lurked on the back end of the bank’s computer systems for months, sending back video feeds and images that gave a gang of cybercriminals a wealth of information about how the bank carried out its daily routines, according to the investigators.

And this was not an isolated incident, according to Kapersky’s report (which The New York Times had an opportunity to preview). This international criminal syndicate – with members hailing from China, Russia and Europe – was able to successfully impersonate bank officers at over 100 banks around the world. The group was able to do far more than just turn on various cash machines; they also managed to transfer millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.

How did they do it?

The attacks started with a good old-fashioned phishing campaign. Massive numbers of bank employees were sent emails with interesting looking content that was secretly infected with a malware program called Carbanak. Those emails would infect one computer within the bank and then work progressively across the network until gaining access to an administrator’s computer.

Once in, programs installed by the malware recorded keystrokes and took screenshots of the bank’s computers. This allowed the hackers a chance to study up on bank procedures and to gain remote access to and take control of the bank’s systems.

Once aware of the bank’s procedures, cybercriminals were then able to steal by transferring money into fraudulent bank accounts, using e-payment systems to send money to fraudulent accounts overseas and directing ATMs to dispense money at set times and locations.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” said Chris Doggett, managing director of the Kaspersky North America office in Boston.

Dogget further told The Times that the “Carbanak cybergang,” represents an increase in the sophistication of the sorts of attacks financial firms should be expecting in the future.

Much like the recent attack on Sony Pictures, the thieves here were playing out a long con, spending months watching the computers of systems administrators without making a move.

“The goal was to mimic their activities,” said Sergey Golovanov, who conducted the inquiry for Kaspersky Lab. “That way, everything would look like a normal, everyday transaction,” he said in a telephone interview with The New York Times from Russia.

The attackers took great pains to learn each bank’s particular system while they set up fake accounts at banks in the United States and China that could serve as the destination for transfers. Those accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China, according to sources briefed on the investigation. Neither bank returned requests for comment.

That makes them rather non-unique in this story, since “no comment” has been a common response from those asked about this latest and clearly widespread hack.

Kaspersky Lab says that the scope of this attack affects more than 100 banks and other financial institutions in 30 nations. The Moscow-based firm further says that it has seen evidence of $300 million in theft through clients (which it cannot name due to non-disclosure agreements) and believes the total could be triple that.

However, even that projection is basically a guess because the thefts were limited to $10 million a transaction, and some banks were hit several times. The White House and the FBI have been briefed on the findings, but they say that it will take time to confirm them and assess the losses. So far, this is believed to have been the work of criminals, not a nationstate — as in the Sony Pictures/North Korea hack. The majority of the targets were in Russia, though Japan, the United States and Europe also were home to many breached organizations.

So far no bank has come forward acknowledging the theft, but the Financial Services Information Sharing and Analysis Center noted in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”

The Times notes that the silence around the investigation appears motivated in part by the reluctance of banks to acknowledge that their systems were so easily breached, especially since it appears that attacks may be still be ongoing.

To cash out, which the lab estimates the criminal syndicate did after about two to four months of surveillance, criminals pursued multiple routes.

The largest sums were stolen by hacking into a bank’s accounting systems and taking advantage of the bank’s schedule for checking account figures.

“We found that many banks only check the accounts every 10 hours or so,” Mr. Golovanov of Kaspersky Lab said. “So in the interim, you could change the numbers and transfer the money.”

Using access gained by impersonating the banking officers, criminals would first add money to an existing balance —  an account with $1,000 would be pumped up to $10,000. Then $9,000 would be transferred outside the bank. The accountholder was never the wiser and banks couldn’t immediately see the problem.

Mr. Doggett further told The Times that while most cyberthefts are “Bonnie and Clyde” “smash and grab” operations — in which attackers break in, take whatever they can grab and flee — that is not true of this latest breach. In this case, Mr. Doggett said, the heist was “much more ‘Ocean’s Eleven.’”