The Billion Dollar Bank Job: How hackers stole $1bn from 100 banks in 30 countries

Fingerprinting child abuse images — The Carbanak hacking gang were able to steal up to $1bn since 2013 from up to 100 institutions across 30 countries Wikimedia Commons

It is being called the "the great bank robbery" and unprecedented in nature but just how did a cyber-crime gang steal more than $1bn (£648, €878m) from more than 100 institutions in 30 countries over a period of two years?

It has been revealed that the Carbanak gang (named after the malware it uses), with members in Russia, Ukraine, China and other parts of Europe, has been stealing tens of millions of dollars from banks, e-payment systems and other financial institutions since 2013, and is still active.

The gang has targeted up to 100 institutions in 30 countries with each theft taking on average between two and four months to complete.

So how did this gang manage to steal so much money without anyone noticing sooner? Here we dissect the techniques used and look at what security experts have said on the matter.

Gone spear phishing

The first step, just as it is in almost all sophisticated targeted attacks these days, was a spear phishing campaign. Tailored and authentic-looking emails which will have been written to target specific employees at specific banks, with this technique being one of the most popular - and successful - ways to infiltrate networks.

The emails sent by the gang to bank employees feature a Word document attachment which, when downloaded and opened, executed the Carbanak malware and gave the hackers direct access to the system.

Carbanak malware

While Kaspersky Lab has yet to reveal much of the technical detail about the Carbanak malware, we can tell this is what is known as a remote administration tool (RAT) which gives the hackers control over the systems they have infected.

Carbanak allows the criminal gang to monitor network traffic, grab screenshots as well as record keystrokes on the infected machine allowing them to find the administrators' computers for video surveillance.

Video surveillance

Using a bank's own camera against them, the gang were able to see and record everything that was happening on the screens of bank employees.

The Carbanak gang used video surveillance to monitor bank employees Creative Commons

By monitoring these screens the hackers were able to gain intimate knowledge of just how each bank's specific internal systems worked, allowing them to tailor each attack.

"In this way, the fraudsters got to know every last detail of the bank clerks' work and were able to mimic staff activity in order to transfer money and cash out," Kaspersky Labs' report says.

Cashing out

Stealing $1bn in cash is not an easy thing to do, but doing it predominantly online makes it much more achievable. Yet, doing so without attracting attention to yourself is something which requires the mixture of skill and patience which the Carbanak gang displayed.

The gang used three primary methods of exfiltrating cash from the target institutions:

The main method of stealing the cash was to use online banking or international e-payment systems to transfer money from the banks' accounts to their own. In the second case the stolen money was deposited with banks in China or America - though Kaspersky notes it is possibly other banks were used.
The second method employed by the Carbanak gang was to use its access to the banks' accounting systems to inflate account balances before withdrawing the money. For example the hackers could change the account balance of a victim from £1,000 to £10,000 before withdrawing £9,000 leaving the victim with their original balance.
Moving into the physical world, the hackers were able to take control of the ATMs belonging to the banks and ordered them to dispense money at pre-arranged times when its operatives were in position

What banks were affected?

No one knows. None of the up to 100 banks, e-payment systems and other financial institutions attacked have admitted their systems were breached.

Most of the banks - and therefore losses - are thought to be based in Russia but the Carbanak gang is active in up to 30 countries - including the US and UK. Here is the full list of countries affected:

Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.

How much money has been stolen?

Kaspersky Labs, which carried out the investigation in association with Interpol and Europol, says that its has seen the theft of $300m from its clients' accounts, but estimates that the real figure is close to $1bn, which would make it one of the biggest thefts in history.

What the experts say:

Sergey Golovanov from Kaspersky Lab, calls the attack "very slick and professional":

These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn't even need to hack into the banks' services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery.

Sanjay Virmani, director of the Interpol Digital Crime Centre, says these type of attacks are being more numerous:

These attacks again underline the fact that criminals will exploit any vulnerability in any system. It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures. Identifying new trends in cybercrime is one of the key areas where Interpol works with Kaspersky Lab in order to help both the public and private sectors better protect themselves from these evolving threats.

Amichai Shulman, CTO at security firm Imperva, says it's time to look for new solutions:

Whatever technologies these banks were using to protect themselves failed. It's time to look for new technologies. Such an operation resulted in countless acts of internal credential theft and explorations within the bank network. Clearly setting up traps within end stations would have triggered multiple alerts over time. Organisations must deploy this new technology.

Mark Bower, from security company Voltage Security says the criminals have their craft down to a "fine art":

Cybercriminals have got the infection-to-cash cycle down to a fine art, proving crime does pay when the victim's perimeter can be bypassed and systems manipulated at will. Today, there are few defences against this level of attack sophistication - but new methods have emerged to fight back, especially data-centric security which works by making stolen data completely useless to the criminal who steal it.

Mike Spykerman, from OPSWAT, said using spear phishing techniques ensures success:

This is yet another hacking originating from spear phishing attacks. The problem with these attacks is that because they are targeted to only a small number of individuals, the malware can get past anti-virus engines.

Russia Ukraine