An elaborate ATM hacking campaign that targeted several banks in the Eastern Europe and Russian region earlier in the year, saw an unknown hacker group steal and estimated $40m (£30m). Unlike other bank hack campaigns, these attacks involved both cyber intrusion as well as physical stages.
The hackers withdrew large sums of money from targeted banks' ATM machines, located in countries outside the banks' originating country. This in turn ensured that the cybercriminals could steal millions without the targeted banks knowing that breach had occurred.
According to security experts at Trustwave, who investigated the attacks, the cybercriminals recruited "mules" to physically visit the targeted banks and open up new accounts and demand that they be issued debit cards with their new accounts. These debit cards were redistributed by the mules to international conspirators located outside the banks' originating country. Once all the cards had been distributed, hackers, who had meanwhile already breached the banks' networks "accessed the bank's internal systems and manipulated the debit cards' features to enable a high overdraft level and removed anti-fraud controls that had been placed for the specific accounts."
The debit cards were then used to withdraw significant amounts of money from multiple ATMs. "The physical counterparts stationed at various locations in Europe and the Russian Federation then cashed out substantial amounts of money for each of these cards from ATM terminals. Cash withdrawals across the region began within minutes of the first OD property change made to the debit cards on the card management application," Trustwave security experts Thanassis Diogos and Sachin Deodhar said in a report. The hackers managed to make away with upto $10m from each targeted bank.
Law enforcement authorities were able to observe some of the mules meeting up with other suspected members of the hacker group via security camera footage from some ATMs that were used to withdraw money. "These meetings were most likely to deliver the stolen cash, after keeping their fee," researchers said.
The hackers managed to compromise the targeted banks' enterprise admin account, which in turn gave the attackers "full access" into the banks' infrastructure. The hackers also installed a legitimate monitoring tool called Mipko (advertised as an employee monitoring tool), which can captures screens, keystrokes and more.
"Based entirely on the precision with which the attack was carried out, we believe that the attackers had previously obtained deep inside knowledge of the bank's network and systems," Trustwave security experts said. "Similarly, they obtained an understanding of the processor's environment, and of the card management software and how these systems could be used to manipulate a debit card's sensitive properties such as its overdraft (OD) limit and its Risk Rating. These two parameters are needed to determine the account's OD limit and therefore how much money the account holder can withdraw."
The hackers also used specialised malware to leave no trace of their activities, in efforts to thwart future forensic analysis of the targeted systems. According to Trustwave researchers, the attackers' "tradecraft" suggests involvement with organised cybercrime syndicates.
It is still unclear as to how many banks were targeted and whether any of the targeted organisations have been able to identify where the money was moved and/or recover it. The identity of the hacker group also remains unknonw. IBTimes UK has reached out to Trustwave for further clarity about the attacks and will update this article in the event of a response.
"We believe that the attack described in this report represents a clear and imminent threat to financial institutions in European, North American, Asian and Australian regions within the next year. Currently the attacks are localized to the Eastern European and Russian regions. However, in cybercrime, this area is often the canary in the mineshaft for upcoming threats to other parts of the world," Trustwave security experts said.
"Our investigations have revealed victim losses currently around approximately USD$40 million. However, when taking into account the undiscovered or uninvestigated attacks along with investigations undertaken by internal groups or third parties, we estimate losses to be in the hundreds of millions in USD. All global financial institutions should consider this threat seriously and take steps to mitigate it."