In what’s shaping up to be a textbook classic, Carbanak, a major advanced persistent threat (APT) attack against financial institutions around the world, may be considered the largest cyberheist to date. The scope of the attack and the losses it has caused make its case so significant. The surprise factor in this APT attack was the criminals’ change in approach and careful planning. Unlike the usual cybercriminal method of stealing consumer credentials or compromising individual online banking sessions with malware, the brazen Carbanak gang targeted banks’ internal systems and operations, resulting in a multichannel robbery that averaged $8 million per bank.

At the time of this post, attacks connected to the Carbanak operation are reportedly still active.

Attacking financial organizations from within is more complicated to execute than impersonating online banking users. Such a large-scale APT operation took planning, skill and resources that are not commonly seen from many organized cybercrime gangs.

The main factor that let attackers cause such damage was inadequate security controls. While the financial sector has been fervently working for decades to prevent fraud and strengthen its detection and protection mechanisms, it has not been as aware of the threats to corporate systems and internal operations networks. Since banks possibly did not expect cybercriminals to be able to attack from within the bank’s systems, internal core systems were not protected by adapted solutions that would have stopped this sort of attack. It was only a matter of time before criminals conceived and executed an operation of this scale.

The relative ease of the breach and its staying power highlight the need for much more stringent security controls to protect both employee endpoints and banks’ core systems.

This stealthy APT attack has gone unnoticed since the end of 2013. It was highly active yet remained undetected. Initial infiltration was facilitated by spear phishing emails and exploit-laden attachments that compromised employee endpoints with malware, eventually stealing credentials, taking over their endpoints and abusing their user privileges.

Research reports on the case indicate that once attackers were inside the breached networks, they were met with weak controls and sometimes basic detection capabilities.

The proper operation of bank systems that run proprietary software and specific hardware was compromised because attackers were able to study it. This reconnaissance was easy via the use of run-of-the-mill malware features such as keyloggers, screenshot grabbers, remote administration tools, and a Video Grabber. All of these are basic malware capabilities that have been used by cybercriminals for about a decade now.

At this time, some of the organizations are still seeing related malicious activity taking place. They are working to spot its source, contain the threat and fully halt the attacks.

How Carbanak Was Launched

Like many other APT attacks, this heist started out slow and steady as the gang schemed and established a stronghold inside its targets’ most guarded internal environments.

To begin, the criminals bought access to bank employee computers that were already compromised by massively distributed opportunistic malware. Dark Web cybercrime vendors who run immense botnets sell access to a wide selection of compromised zombies from any country. A quick search for a user’s email domain can reveal the company he or she works for, allowing criminals to zero in on a target. Price tags for remote desktop-based access run no more than a few dollars.

Once the Carbanak team had an initial back door into the targeted banks, it followed up with spear phishing emails designed to trick employees in the same bank and those working in other banks. The emails contained exploit-laden attachments that downloaded an insidious Trojan into the machines when they were opened by employees.

The malware used in this operation started out as variants of Anunak, Qadars and some Carberp hybrid varieties. However, the latest samples show that the gang moved on to use entirely new malware. Although the “Carbanak” name used by researchers is a combination of the aliases “Carberp” and “Anunak,” the actual samples are not related to either code at this point.

The steps that followed after new victims’ endpoints were unknowingly infected by malware are common to all APT attacks: privilege escalation, lateral movement into internal systems inside the bank’s infrastructure, deeper reconnaissance and eventual impact.

To study the compromised banks’ internal systems, the attackers placed designated operators on the watch, having them view regular video- and screen-capture feeds the malware grabbed and transmitted back to the attackers. They were thereby able to gradually learn the inner workings of the bank employees’ operations with the purpose of using the employees’ stolen credentials and mimicking them on D-Day.

The use of keyloggers and data-stealing malware capabilities provided the hostile watch team with all the necessary access credentials and user rights to eventually launch the next phase of this attack, which included a variety of ways to steal large sums of money from the banks they targeted.

The APT was a mix of multichannel fraud that abused both online and physical systems from within and via the banks’ service channels. The attackers did the following:

  • Infected computers attached to ATMs so the machines dispensed cash at the same time the gang’s mules were there to pick it up;
  • Compromised internal Oracle databases, created fraudulent accounts, issued cards and modified account balances to wire out more money each time;
  • Abused the Society for Worldwide Interbank Financial Telecommunication system to move large amounts of money into accounts they controlled;
  • Used the online banking vector for e-pay fraud and fraudulent transactions.

Operating like a well-oiled machine, this Eastern European cybercrime gang managed to go unnoticed for well over a year while continually attacking from within. The operation was supported by a wide network of live money mules and mule accounts of all grades, which enabled the thieves to rob millions of dollars from each bank.

The full scope of this operation was recently made public by Kaspersky Lab researchers who handled the incident response at a bank that was attacked in Ukraine. Kaspersky’s report estimated this attack affected more than 100 banks across 11 countries. Estimated losses have tripled from $300 million on Feb. 14 to $1 billion only a day later.

Take a proactive response to today’s advanced persistent threats! Read the white paper to learn how

What Could Have Been Done to Foil This APT Attack?

This complex attack’s technical success and detrimental results are due to the fact that the criminals were able to infiltrate the network using compromised employee endpoints, learn about the inner workings of internal systems and gain an insider’s user-grade access to the bank’s systems. Not only did the attackers compromise employee endpoints and bank networks, but they remained undetected for an extended period, which allowed them to covertly study employees’ daily activity for as long as they needed to before they executed their plan.

Standard detection capabilities did not suffice here. Exploitation, download, installation, malware modules, exfiltration, remote access and endpoint takeover, as well as repeated illegitimate actions, were not discovered by the existing security for many months. Had the reconnaissance stage of the attack been discovered quickly, the entire operation would have failed.

What was needed in the Carbanak case is a multilayered defense approach to protect corporate endpoints against advanced malware and credential theft — for example, disrupting the exploit chain that was used in the Carbanak attack to download remote access Trojans and other malware on the machine. By disrupting the exploit chain, the spear phishing scheme would have failed and employee endpoints would not have been compromised to begin with.

For already compromised machines, the ability to identify and block suspicious attempts to establish communication channels with the attackers could have made a difference by stopping the exfiltration of video feeds and screen captures accumulated by the criminals.

While using some legitimate tools for malicious purposes, Carbanak’s botmasters also deployed malware such as the Ammy remote administration tool on employee endpoints to take them over. Had this unsafe download been stopped on time, the subsequent endpoint takeover would have made things a lot harder for the attackers.

Endpoints that were abused via Virtual Network Computing needed more stringent protection that would have flagged the suspicious sessions and exposed the attackers’ progress before they would have had a chance to cause further damage.

According to reports on this large-scale APT attack thus far, Carbanak is a very well-orchestrated crime operation, but it is not as sophisticated on a technical level — nor is it impossible to protect against. To learn more about layered defenses banks can use to protect employee endpoints and internal systems, read about Trusteer Apex Advanced Malware Protection™.

More from Advanced Threats

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today