A hacking gang is suspected of stealing vast sums from banks worldwide for two years with apparent ease.
How can a repeat be averted?
Might I remind you of this:
Good news! A major hack you don’t have to worry about! Unless, that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that has come to be known as Carbanak or Anunak.
If you are, then you have a problem, because these hackers – and no doubt others to come – aren’t targeting banking consumers but the internal systems of banks, silently monitoring them and subtly defrauding them. Unlike most cybercrime, this wasn’t a hold-up, but a bank heist – the kind that could ultimately affect both consumers and governments. And that’s why we should all be paying attention.
Skill-wise, the attack is at a similar level to November’s Sony Pictures hack. (So much for the FBI’s claim that the Sony hack was unprecedentedly scary.) It was a long-term effort, professionally executed, and required a fair amount of organisation and coordination to pull off.
These aren’t just script kiddies stealing people’s credit-card numbers. The hackers managed to compromise the systems of banks, but rather than immediately grabbing information and alerting targets to their presence, they would quietly observe the inner workings and transactions for months. They were then in a position to subtly manipulate the system in order to cash out. According to a report from software-security company Kaspersky Lab, the hackers obtained up to $1 billion through dozens of attacks over the past two years.
There are several things worth noticing. One is that the initial compromises of the systems were possibly the simplest and dumbest aspects of the attacks. The hackers would enter a system through the tried-and-true method of “phishing” – sending emails to employees that purport to come from a trusted sender inside the company. (Attacking a specific organisation through this approach is called “spear phishing”.) The employee opens an attachment in the email, which immediately compromises the system.
These hacks used Windows and Office document files that, when opened, injected malware into the target’s computer, more or less giving the hackers total control.
What they did with this control, however, was more sophisticated. The hackers monitored the keystrokes of the computer and took screenshots every 20 seconds, giving them a very clear picture of the daily internal workings of a bank. And instead of attacking customer accounts, which are more closely monitored for fraud, the hackers went after internal fund mechanisms.
First, they inserted fake transactions into the SWIFT transfer network to distribute money to other banks and credit cards. Second, and rather ingeniously, they attacked ATMs directly. Seizing central control of the banks’ ATMs, they set them to spit out cash spontaneously and then had their accomplices (“money mules,” as Kaspersky terms them) visit the terminals at the right time to collect the dosh.
The exact scope of the attack is still up for debate. According to Kaspersky, the group targeted banks in 30 countries, though primarily in Russia, and obtained about $1 billion. A more detailed, earlier report from December by Group-IB and Fox-IT confined the attacks to Russia and placed the damage in the hundreds of millions.
Until banks can keep their employees from opening bad links and files inside phishing emails, they must simply assume that they are quite vulnerable to attack.
In terms of efficiency, these attacks are vastly more impressive than most hackers can ever hope to achieve. Though the efforts required time, each individual compromise raked in $10 million. Each hack remained undetected for its duration, and some banks were compromised multiple times.
Because almost none of the money was tied to any particular customer’s account, the thefts were mostly invisible to consumers, so no individuals raised red flags.
Plus, consumers face bigger threats from the more recent Dyre and Dridex banking Trojans, which hijack browsers to obtain user credentials, even managing to defeat two-factor authentication in some cases.
For banks and other institutions, though, Carbanak’s sophisticated attacks are scary for two reasons. Along with the Sony hack, these kinds of breaches entail obtaining long-term and in-depth access to targeted systems in order to cause the most damage, financial or otherwise. That means there are two facets of security that companies need to worry about.
First, there’s that primitive initial compromise. It’s somewhat embarrassing that a phishing attack can end up compromising more or less all of a bank’s systems, but that’s exactly what happened here. There was no complicated exploit of some unknown security hole or cracking of passwords; an employee just needed to open an attachment (usually a Word document) in a phishing email, which then exploited known vulnerabilities in unpatched Office software. These vulnerabilities were patched by Microsoft years ago (most recently in March 2014).
So, at a minimum, banks need to keep their software updated with security fixes, but beyond that, they also need to scan all incoming attachments and clamp down on the ease with which employees open them.
The manipulation of the system that followed was on a whole other level. Until banks and other institutions can reliably keep their employees from opening bad links and files inside phishing emails, they must simply assume they are quite vulnerable to attack.
Secondly, given that Carbanak/Anunak’s attacks required weeks of monitoring before it could perform its high-stakes thefts, institutions need better internal-auditing mechanisms to make sure their transactions are actually being performed by their employees, rather than by skilful remote hackers.
It’s better to assume your system is already compromised and look for evidence of unwanted manipulation than to have faith in a bulletproof outer shell, because let’s face it, if you’re getting compromised by phishing emails, you are a long way from bulletproof.
This may even require setting up fake internal honeypots for thieves and other creative mechanisms, so banks can detect intrusions. Because hackers sometimes look to exploit existing latent malware already present on a network, injecting fake malware into bank networks could help to catch hackers on first contact, like a reverse Trojan horse.
Banks have every incentive to keep these attacks quiet, given that they aren’t keen on losing the confidence of customers or investors. The comparative quiet around them should not be met with complacency. The potential upside for thieves is so great that a lot of evident skill is going into these hacks, resulting in what appears to be a growing arms race between institutions and hackers with increasingly sophisticated arrays of malware and botnets, not to mention tons of time and energy. From the looks of it, the banks are pretty far behind.