Law-enforcement agencies have managed to arrest a criminal group of eight people responsible for ATM malware attacks to empty cash machines. The joint operation by the Romanian National Police and Directorate for Investigating Organised Crimes and Terrorism, further aided by Europol and Eurojust along with other European authorities, revealed that the criminals are Romanian and Moldovan nationals.
The group were involved in a "large-scale ATM jackpotting" of ATMs, using a 'Trojan horse' or 'Trojan' — a type of malware family disguised as a genuine software. This malware allowed the attackers to empty ATM cash machines using the ATM keypad to submit commands to the Trojan.
The authorities said the group used Tyupkin ATM malware, which was first detected in October 2014 by Russian security firm Kaspersky Lab. Kaspersky claims that the malware affected machines from a major ATM manufacturer running the Microsoft Windows 32-bit system. Kaspersky said at the time of investigation that Tyupkin malware was active on more than 50 ATMs situated at banking institutions located in Eastern Europe. The malware has also spread to other countries including the US, India and China.
This malicious software uses several techniques to avoid detection, and is active only at a specific time at night. The malware uses a key based on random input for every session. When the key is entered correctly, the malware displays details about how much money is available in every cassette, allowing attackers with physical access to the ATM to draw 40 notes from the cassette. According to security footage, the hackers were able to manipulate the machine and installed the malware using a bootable CD.
Wil van Gemert, Europol's deputy director of operations, said, "Over the last few years we have seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes."
"To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations," he added. Europol's European Cybercrime Centre has prepared security guidelines regarding this new cyberattack to ATMs.