The group who have reportedly stolen $1 billion in two years from 30 countries was initially spotted in December.
The report by Kaspersky Lab found that a multi-national gang of cyber criminals from Russia, Ukraine, China and parts of Europe found that the “Carbanak” criminal gang attempted to attack up to 100 banks, e-payment systems and other financial institutions in around 30 countries where the largest sums were grabbed by hacking into banks and stealing up to $10 million in each raid.
On average, each bank robbery took between two and four months and began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware.
However the Dutch security investigation firm Fox-IT said that the characteristics correlate with what it saw from the Anunak group, and it said in an update that Anunak has ties with Carbanak.
“Anunak is the name the malware author gave to the main malware used in these attacks,” it said. “Carbanak is the name the anti-virus industry gave to this malware, which is a combination of the words ‘Anunak’ and ‘Carberp’, as the Anunak malware has used code from Carberp.”
Fox-IT previously reported on Anunak as being an APT-like criminal group with ties to the Carberp group from some years ago. The attack types include previously unseen direct attacks to Russian bank ATM’s and core financial systems of banks, while focusing on POS malware and credit card counterfeiting in the rest of the world, with their main focus on US retail.
The company said that since early December, the group has decreased their activities and may have even stopped entirely.
It said: “Without any insight into the evidence Kaspersky has obtained, we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group. The compromises outside Russia related to retail compromises with the goal of obtaining credit card data to create counterfeit credit cards.”
Amichai Shulman, CTO of Imperva, said: “Whatever technologies these banks were using to protect themselves failed. It’s time to look for new technologies. Such an operation resulted in countless acts of internal credential theft and explorations within the bank network. Clearly setting up traps within end stations would have triggered multiple alerts over time. Organisations must deploy this new technology.
“The operation involved multiple that are ‘unnatural’ or ‘rare’ in normal operations such as ‘tricking’ the balance of accounts. Clearly it is impossible to scrutinise each and every such operation. Thus a technology that looks at the aggregate effect of such operation over time is something required in today’s landscape.”
Kaspersky Lab’s report claimed that the cyber criminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to access the internal network and track down administrators’ computers for video surveillance.
Mike Spykerman, vice president of product management at OPSWAT, said: “This is yet another hacking originating from spear phishing attacks: According to the Kaspersky report, the hackers were able to gain access to the banking systems by sending out emails to banking employees with a malware laced Word attachment, which when opened, executed a backdoor for the attackers. The problem with these attacks is that because they are targeted to only a small number of individuals, the malware can get past anti-virus engines.”
Neil Costigan, CEO of BehavioSec, said: “The figures released by Kaspersky today should make banks all over the world look up from their morning coffee. It’s not only the scale of the attacks that will ring alarm bells, but the type; each ‘bank robbery’ is reportedly taking between two and four months. We are no longer talking about one man with a balaclava, but protracted, sophisticated, patient attacks with criminals lurking for months to learn the banks’ systems. This approach is viable, so long as the banks rely on outdated ‘one off’ authentication requests.”