Cybercrime Gang: Fraud Estimates Hit $1BExperts Say Anunak/Carbanak Malware Attacks Still Under Way
A notorious cybercrime gang continues to target financial services firms and retailers. A new report estimates that the Anunak - a.k.a. Carbanak - gang has now stolen up to $1 billion from banks in Russia, the United States and beyond, in part by using "jackpotting" malware that infects ATMs and which attackers can use to issue cash from ATMs, on demand.
Security firm Kaspersky Lab, which issued the new study, says that the multinational gang of cybercriminals - operating from such locations as Russia, Ukraine and China - often launches phishing attacks to install its malware, which Kaspersky calls "Carbanak," on bank employees' PCs. From there, attackers then find and hack into the PCs used by money-transfer system administrators and install malware that captures a digital-video recording of everything the employees do on-screen, before sending the resulting video file to attackers. "This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems," Kaspersky says. "In this way the cyber criminals got to know every last detail of the bank clerks' work and were able to mimic staff activity in order to transfer money and cash out."
Kaspersky says that officials at the FBI and White House, as well as Interpol and Europol, have been briefed on the report's findings, and that because of non-disclosure agreements that it signed with affected banks, it cannot name them.
But this doesn't appear to be the first warning - or tactical analysis - that's been issued in relation to this particular malware-wielding cybercrime gang. In fact, this appears to be the same group that a report from Group-IB and Fox-IT profiled in December (see Russian Ring Blamed for Retail Breaches). Those firms have labeled the malware being used by the same gang as "Anunak."
"Anunak or Carbanak are the same," Andy Chandler, senior vice president at Fox-IT, tells Information Security Media Group. "We continue to track these actors, but there are no major revelations since late December when we released this story first. So far in 2015, the global financial industry have been kept busy by other more innovative criminal groups such as Dyre, Dridex and Evil Corp.," which are typically named for the Trojans used by attackers - such as Dridex and Dyreza.
Kaspersky Lab didn't immediately respond to a request for comment about whether its report profiled the same gang that was analyzed by the Dec. 2014 Group-IB and Fox-IT study.
But Alan Woodward, who's a visiting professor at the department of computing at England's University of Surrey, as well as a cybersecurity advisor to Europol, says both reports appear to be profiling the same gang. "If there is anything actually new it is that Kaspersky have found more banks have been affected than Fox-IT found," Woodward says, noting that he was briefed on the Kaspersky report in advance of its release.
The gang's attacks have been under way since 2013, security experts say, although they weren't immediately spotted. "Carbanak malware samples were first seen in August of 2014," says John LaCour, CEO of cybercrime protection service PhishLabs, referencing when a sample of the malware was first cataloged by the Totalhash malware analysis database. Based on a December 2014 analysis conducted by malware-scanning service VirusTotal, however, at that time only about half of all anti-virus engines were detecting one particular version of the malware.
The Financial Services Information Sharing and Analysis Center, or FS-ISAC, which distributes threat intelligence to the financial services sector, says in a statement provided to The New York Times that "our members are aware of this activity," and that it has shared related threat intelligence to them. "Some briefings were also provided by law enforcement entities." The Times also received a copy of the Kaspersky report in advance of its publication.
Ambitious Cybercrime Ring
This is not the first time that a group of criminals has used malware to launch successful jackpotting or "cash out" attacks that allow them to drain cash from ATMs (see Malware Attacks Drain Russian ATMs). Such malware can be used to distribute cash at a prearranged time, or in response to money mules entering a preset code into the ATM keypad.
But what distinguishes the Anunak/Carbanak gang from its peers is the apparent scope - and success - of its efforts. Notably, Kaspersky's report says the gang has targeted financial services groups in Russia and the United States, as well as Australia, Brazil, Bulgaria, Canada, China, Czech Republic, France, Germany, Hong Kong, Iceland, India, Ireland, Morocco, Nepal, Norway, Pakistan, Poland, Romania, Spain, Switzerland, Taiwan, Ukraine and the United Kingdom.
The Kaspersky report says the attackers used three principle techniques to steal money from banks: hacking systems to inflate an account's bank balance, and then transferring the added amount to an attacker-controlled account; taking control of bank ATMs and telling them to dispense cash - at predetermined times - to one of the gang's waiting money mules; laundering stolen money via online bank accounts or e-payment systems, in some cases relying on banks in China and the United States.
While the Kaspersky report doesn't touch on point-of-sale attacks, the Group-IB and Fox-IT report also ties the Anunak gang to breaches of 16 U.S. retailers in 2014. According to press reports, that list of breached retailers included Staples, Bebe and Sheplers.
$1 Billion Stolen?
What's especially concerning about the Carbanak malware attacks against banks is that the malware wasn't found until after bank officials watched the money go missing. "The initial alert was raised when security cameras saw ATMs popping out money to people who had apparently not even touched the machine - money mules," Woodward says. Money mules are low-level gang members tasked with retrieving money from ATMs. By using them, a gang's leadership can lessen the risk that they themselves will be identified or captured.
Each raid lasted for an average of 42 days - from the time a bank PC was initially infected with malware, to when the attackers stole money - and resulted in the theft of up to $10 million at a time, Kaspersky says, noting that some banks were attacked more than once. While its report claims that $1 billion in total was stolen, Woodward says there's roughly $300 million missing "that we can be sure about," and that the $1 billion figure is based so far on extrapolation, although it may be proven accurate.
Woodward says investigators have been analyzing data recovered from the command-and-control servers used by attackers, but notes that attackers rotated their servers twice per week. Hence investigators may still only be seeing some of the heists perpetrated by the cybercrime gang. "In any event it's looking like the largest bank heist we've come across [to date], and just goes to show why they have switched from sawn-off shotguns to cybercrime," he says.
The gang appears to still be at work. "The priority now is to work out what exactly has been stolen - a non-trivial task because of the nature of the attack - then make sure the holes are closed," he says. "It looks like this is an ongoing attack so banks will all be scrambling to make sure they're not affected."
Related Investigations Under Way
One takeaway from these attacks for financial services firms - or any other sector - is that criminals have become expert at finding weaknesses to exploit, both at the employee and IT systems levels. "These attacks again underline the fact that criminals will exploit any vulnerability in any system," says Sanjay Virmani, director of the Digital Crime Center at international police organization Interpol, which helps its 190 member countries investigate transnational crime and terrorism. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."
The attacks also demonstrate the continuing power of well-designed malware. "We've known for years that engineered malware has provided the biggest risk for financial loss, and these reports seems to validate such conclusions," says Carl Herberger, vice president of security solutions at app delivery vendor Radware. He adds that the Anunak/Carbanak attacks again demonstrate that cybercrime appears to be the domain not of nation states, but rather "transnational cartels compromising individuals from numerous countries who are all centered around stealing assets - however now, in a new way."
Chasing down the people responsible for the Anunak/Carbanak attacks, however, likely won't happen quickly. "Finding the criminals will be tricky, as there are so many cross-border aspects to the job. Europol and Interpol are already involved for that very reason," Woodward says, adding that while it might still take a substantial amount of time to track down the criminals involved, law enforcement agencies "can be very patient," and related investigations have already been launched.
"It is vital to pursue these criminals, if only to prevent a repeat performance and to deter others that might attempt the same," he says.
News Writer Jeffrey Roman also contributed to this story.