Carbanak

Last updated

Carbanak is an APT-style campaign targeting (but not limited to) financial institutions, [1] that was discovered in 2014 [2] by the Russian cyber security company Kaspersky Lab. [3] It utilizes malware that is introduced into systems running Microsoft Windows [4] using phishing emails, [3] [5] which is then used to steal money from banks via macros in documents. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.

The criminals were able to manipulate their access to the respective banking networks in order to steal the money in a variety of ways. In some instances, ATMs were instructed to dispense cash without having to locally interact with the terminal. Money mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts, Kaspersky said. The Carbanak group went so far as to alter databases and pump up balances on existing accounts and pocketing the difference unbeknownst to the user whose original balance is still intact. [6]

Their intended targets were primarily in Russia, followed by the United States, Germany, China and Ukraine, according to Kaspersky Lab. One bank lost $7.3 million when its ATMs were programmed to spew cash at certain times that henchmen would then collect, while a separate firm had $10 million taken via its online platform.

Kaspersky Lab is helping to assist in investigations and countermeasures that disrupt malware operations and cybercriminal activity. During the investigations they provide technical expertise such as analyzing infection vectors, malicious programs, supported command and control infrastructure and exploitation methods. [7]

FireEye published research tracking further activities, referring to the group as FIN7, including an SEC-themed spear phishing campaign. [8] Proofpoint also published research linking the group to the Bateleur backdoor, and expanded the list of targets to U.S.-based chain restaurants, hospitality organizations, retailers, merchant services, suppliers and others beyond their initial financial services focus. [9]

On 26 October 2020, PRODAFT (Switzerland) started publishing internal details of the Fin7/Carbanak group and tools they use during their operation. [10] Published information is claimed to be originated from a single OPSEC failure on the threat actor's side. [11]

On March 26, 2018, Europol claimed to have arrested the "mastermind" of the Carbanak and associated Cobalt or Cobalt Strike group in Alicante, Spain, in an investigation led by the Spanish National Police with the cooperation of law enforcement in multiple countries as well as private cybersecurity companies. The group's campaigns appear to have continued, however, with the Hudson's Bay Company breach using point of sale malware in 2018 being attributed to the group. [12]

Controversy

Some controversy exists around the Carbanak attacks, as they were seemingly described several months earlier in a report by the Internet security companies Group-IB (Singapore) and Fox-IT (The Netherlands) that dubbed the attack Anunak. [13] The Anunak report shows also a greatly reduced amount of financial losses and according to a statement issued by Fox-IT after the release of The New York Times article, the compromise of banks outside Russia did not match their research. [14] Also in an interview conducted by Russian newspaper Kommersant the controversy between the claims of Kaspersky Lab and Group-IB come to light where Group-IB claims no banks outside of Russia and Ukraine were hit, and the activity outside of that region was focused on Point of Sale systems. [15]

Reuters issued a statement referencing a Private Industry Notification issued by the FBI and USSS (United States Secret Service) claiming they have not received any reports that Carbanak has affected the financial sector. [16] Two representative groups of the US banking industry FS-ISAC and ABA (American Bankers Association) in an interview with Bank Technology News say no US banks have been affected. [17]

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

<span class="mw-page-title-main">Kaspersky Internet Security</span> Internet security suite developed by Kaspersky Lab

Kaspersky Internet Security was an internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

Careto, sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.

Agent.BTZ, also named Autorun, is a computer worm that infects USB flash drives with spyware. A variant of the SillyFDC worm, it was used in a massive 2008 cyberattack on the US military, infecting 300,000 computers.

DarkHotel is a targeted spear-phishing spyware and malware-spreading campaign that appears to be selectively attacking business hotel visitors through the hotel's in-house WiFi network. It is characterized by Kaspersky Lab as an advanced persistent threat.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR), a view shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, Midnight Blizzard, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Fancy Bear, also known as APT28, Pawn Storm, Sofacy Group, Sednit, Tsar Team and STRONTIUM or Forest Blizzard, is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU. The UK's Foreign and Commonwealth Office as well as security firms SecureWorks, ThreatConnect, and Mandiant, have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165. This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data, were targeted by Ukrainian drones on July 24, 2023, the rooftop on one of the buildings collapsed as a result of the explosion.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

NetTraveler or TravNet is spyware that dates from 2004 and that has been actively used at least until 2016, infecting hundreds of often high-profile servers in dozens of countries.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

Titanium is a very advanced backdoor malware APT, developed by PLATINUM, a cybercrime collective. The malware was uncovered by Kaspersky Lab and reported on 8 November 2019. According to Global Security Mag, "Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage." Much of the sequence is hidden from detection in a sophisticated manner, including hiding data steganographically in a PNG image. In their announcement report, Kaspersky Lab concluded: "The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. Regarding campaign activity, we have not detected any current activity [as of 8 November 2019] related to the Titanium APT."

References

  1. Kaspersky Labs' Global Research & Analysis Team (GReAT) (February 16, 2015). "The Great Bank Robbery: the Carbanak APT". Securelist. Archived from the original on February 17, 2015.
  2. "Carbanak_APT Analysis" (PDF). Kaspersky. Archived from the original (PDF) on 19 March 2017. Retrieved 12 June 2017.
  3. 1 2 David E. Sanger and Nicole Perlroth (14 February 2015). "Bank Hackers Steal Millions via Malware". The New York Times.
  4. CARBANAK Week Part One: A Rare Occurrence FireEye, 2019
  5. Fingas, Jon (February 14, 2015). "Subtle malware lets hackers swipe over $300 million from banks". engadget. Archived from the original on February 15, 2015.
  6. "Carbanak Ring Steals $1 Billion from Banks". Threatpost. 15 February 2015.
  7. "The Great Bank Robbery: the Carbanak APT". Securelist. 16 February 2015.
  8. "FIN7 Evolution and the Phishing LNK". FireEye.
  9. "FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor | Proofpoint US". www.proofpoint.com. July 31, 2017.
  10. "OpBlueRaven: Unveiling Fin7/Carbanak - Part I : Tirion". Prodaft.com.
  11. "OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks". PRODAFT.
  12. Newman, Lily Hay. "THE BILLION-DOLLAR HACKING GROUP BEHIND A STRING OF BIG BREACHES". Wired.
  13. "Anunak APT against Financial institutions" (PDF). Fox-IT. 22 December 2014. Archived from the original (PDF) on 22 March 2015. Retrieved 4 March 2015.
  14. "Anunak aka Carbanak update". Fox-IT. 16 February 2015.
  15. "Group-IB and Kaspersky have conflicting views". Kommersant. 23 February 2015.
  16. "FBI, Secret service, no signs of Carbanak". Reuters. 18 February 2015. Archived from the original on 24 September 2015. Retrieved 30 June 2017.
  17. "Carbanak overhyped, no US banks hit". BankTechnologyNews. 19 February 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.