Anti-Malware , ATM Fraud , Fraud

New Details About $1 Billion Crime Ring Researcher Says ATM Attack Linked Ring to Other Schemes

In an exclusive interview with Information Security Media Group, Sergey Golonvanov, a threat researcher at Kaspersky Lab, explains how a highly sophisticated and well-funded crime ring based in Russia, which made headlines over the weekend for successfully defrauding up to $1 billion from banks in Europe, the U.S. and elsewhere, was able to fly under the radar of detection for nearly a year. The ring used a string of seemingly unrelated malware attacks aimed at compromising everything from ATMs and money-transfers to retail point-of-sale systems (see Cybercrime Gang: Fraud Estimates Hit $1B ).

The group, which Kaspersky calls Carbanak, is one the White House, the Federal Bureau of Investigation, Interpol and Europol, as well as numerous security firms, have been keen to learn more about, Golonvanov says.

"We started this investigation after mysterious behavior at ATMs of a bank in Ukraine," he says. But soon it was clear that what was striking these ATMs was not run-of-the-mill ATM malware, Golonvanov adds.

In fact, Russia-based security firm Kaspersky Lab now says Carbanak is the same group about which researchers at cybersecurity firms Group-IB and Fox-IT released a similar cyberthreat report in December.

While Group-IB and Fox-IT named the group Anunak, they, too, linked it to malware that struck numerous targets - in their case, 16 U.S. retailers that were breached in 2014. But what is interesting about Anunak, Group-IB and Fox-IT noted, is that some of its core hackers are actually the developers of the banking Trojan Carberp, which emerged in 2010 - illustrating the blurring line between malware attacks waged against retail and banking, the firms said.

Golonvanov says now that Kaspersky has tied the same group to even more financially motivated crimes and attacks, the tether that connects retail attacks to bank attacks is even more obvious, especially now that there is a single group believed to be behind all of it.

"Yes, we know that this is the same group that was reported back in December," Golonvanov says. "From the start of 2014, we were working on this case. ... But now, when we see so many financial institutions involved, we realize how great this threat is."

Unique ATM Attack

Golonvanov, who's been closely following this crime ring for the last year, says it took a unique kind of jackpotting attack waged against ATMs in Ukraine to spur security teams to trace and link seemingly unrelated cyber-attacks back to a single gang.

"The first time I met with the guy from the bank, I thought we would need to find the direct physical access the attacker had to the ATM," he says, because most ATM malware must physically be installed locally to the terminal.

"In this case, though, nothing was stashed [or installed] on the ATM," Golonvanov explains. "So as the mystery of this attack unfolds, we see a guy on the ATM surveillance walking around the ATM, not touching the ATM, but able to get money out."

Golonvanov realized the ATM had been reprogrammed from a more centralized, networked source that did not require the fraudster or mule to enter a ficticious PIN or fraudulent card to withdraw funds. The ATM just spit the money out.

"That's when we started looking in the bank's infrastructure, and that's actually how we found Carbanak," he says.

Now Kaspersky classifies Carbanak malware as an advanced persistent threat, Golonvanov says.

"We see it is a global threat, now that we have more information about the targets," he explains. "It's not just ATMs and point-of-sale terminals that were involved in this case."

During this interview, Golonvanov also discusses:

  • How Carbanak was used to compromise money transfers made through SWIFT - the Society for Worldwide Interbank Financial Telecommunication - Europe's banking transaction system;
  • Why shutting Carbanak down won't be easy; and
  • Fraud mitigation steps banking institutions should be taking to ensure they don't fall victim to a Carbanak attack.

Golonvanov started his career at Kaspersky in 2005 joining the company as a virus analyst before going on to become head of the Non-Intel Research Group. He conducts research related to data-mining and threats that target online games and social networking sites, as well as the technologies and methods used by virus writers and cybercriminal groups. Sergey was appointed Malware Expert for the Russian Research Center in 2009 and is based in Moscow.

Around the Network