On July 10, 2016, a typhoon was washing over Taipei – the capital city of Taiwan (Devdreux, 2018). The sun had just set, and most citizens were hunkered down inside their homes waiting for the rain to end (Devdreux, 2018). Sergey Berezovsky and Vladimir Berkman, wearing hats and antipollution masks, waited outside of First Commercial Bank (Devdreux, 2018). The two Russians were in a line to withdrawal cash from an ATM (Devdreux, 2018). Finally, their turn was up. The two stepped up to the machine and loitered for a moment (Devdreux, 2018). Then, to onlookers surprise, the ATM started jackpotting cash into the tray for the Russians to grab (Devdreux, 2018). They quickly shoved the money into a satchel as the machine emptied its cassettes of bills (Devdreux, 2018). In an instant, they stole around sixty thousand US dollars and vanished; moreover, they never touched the ATM with the exception of taking the bills from the tray (Devdreux, 2018). Jornt v.d. Wiel, a cyber security researcher at Kaspersky Labs, shared this and other stories at the Kaspersky Security Analyst Summit in Singapore on April 10, 2019 (Newman, 2019). Kaspersky Labs were hired to investigate the coordinated attack that netted hackers two million six hundred thousand US dollars from forty-one First Commercial Bank ATMs in a single night (Newman, 2019). When Kaspersky Labs inspected the machine, they discovered the hackers weren’t using malware installed on the ATM. This hacker group, dubbed Carbanak, was doing something much more sophisticated and it was only the beginning (Newman, 2019). Bank robberies have evolved past the complex of brick and mortar into a silent financial war between Nations (Newman, 2019). The efforts of the Carbanak hacker group has inspired North Korea to become the worlds most advanced and persistent digital bank robbers (Newman, 2019).
According to Kaspersky Labs, the hacker group utilized a spear-phishing attack where they posed as job seekers, and they sent out emails with resumes as a Microsoft Word document that contained an exploit for a published vulnerability (Newman, 2019). Someone in the human resources department opened the email with the attachment which ran the download script for the Carbanak malware (Newman, 2019). This was a remote shell application that allowed the attackers to install software on that very specific computer (Carbanak 2019). The next effort for the hacker group was to escalate their privileges (Carbanak 2019). They installed a keylogger software on the victim’s computer and then installed some software that utilizes a lot of resources and runs in the background, slowing down the computer’s operations (Carbanak 2019). The Human resources worker realized the computer was running much slower and contacted the IT department to investigate (Carbanak 2019). The IT worker showed up to the computer, looked through and saw the software that was using all of the resources and removed the software (Carbanak 2019). This process required the IT worker to enter their administrator username and password which was captured using the keylogger (Carbanak 2019).
The next step for the hacker group was to learn the networks topology and group policy. Administrators had ICMP blocked which means ping was disabled on the network, so the attackers scanned the network by sending SYN packets and listening for the SYN/ACK response as the ICMP echo equivalent (Carbanak 2019). After finding the available machines, the attackers used the administrator username and password to access the machine and install a custom research software suite to determine computers of interest (Carbanak 2019). Their custom research software suite comprised of a keylogger and a very low-quality video recording software to capture a black and white image of the user’s active window (Carbanak 2019). The low resolution and monitoring of just the users active window allowed the information to be passed to the command and control server without raising flags for data usage (Carbanak 2019). This allowed the group to observe the users that are logged into the machine and find which machines and users typically perform manual money movements or controlled the ATMs (Carbanak 2019). The hackers began watching those computers and users to find out how the banks software works, how money transfers are performed, and learn what the user’s normal behavior is so they can replicate the user without raising flags (Carbanak 2019). Throughout this process, the attackers stumble across the domain controller for the bank and install additional malware that allows remote control and monitoring while using very little system resources (Carbanak 2019).
In just a few days, the hackers have completely taken over the entire infrastructure of First Commercial Bank completely unnoticed (Carbanak 2019). They began exploiting the ATMs using money mules to move the cash, purchase bitcoin, and send the bitcoin back to the hacker group (Carbanak 2019). This earned the hackers several millions of dollars each day but was very visible and high risk. They used this attention the ATM hacks were gaining as misdirection from where the most money was being stolen, which was using the banks SWIFT money transfer system (Carbanak 2019). The hackers had learned how to setup bank accounts and populated checking accounts for an entire team of money mules (Carbanak 2019). They set each account to a very low and uncommon balance of three dollars and thirty-three cents (Carbanak 2019). Then, they ran a simple database update query to change all account values that were three dollars and thirty-three cents to one million dollars (Carbanak 2019). The incredible thing about this is that if you were lucky enough to have the exact same amount being queried in your checking account, you would wake up a millionaire (Carbanak 2019). The money mules would then go and draw cash out of their checking account and launder the money using bitcoin too (Carbanak 2019). Europol claims that this hacking group was able to infect over one hundred banks and steal over one billion two hundred million dollars (Carbanak 2019). This sparked a huge investigation around the world, to include Europol, the Spanish government, the Ukrainian government, the Taiwanese government, the Romanian government, and the FBI (Carbanak 2019). They were able to find and arrest their lead suspect, “Denis K”, who was hiding out in Alicante, Spain (Carbanak 2019).
Ultimately, the Carbanak group was shut down, and it started with a phone call at three in the morning from an IT administrator to Kaspersky Labs (Carbanak 2019). The IT administrator was performing routine inspections on his network when he realized the domain controller was sending packets of information to China (Carbanak 2019). The bank quickly contacted Kaspersky Labs and they started identifying the issues at hand on the domain controller right away (Carbanak 2019). First, they used a tool called process explorer to examine running processes, memory, and system logs (Carbanak 2019). They immediately found the malware running on the device and performed memory dumps and ran a disassembler, similar to IDA, to search for string values to see if there are any readable characters so they could find any additional information to what the malware is doing (Carbanak 2019). Running strings on the application is important because it can reveal clues like who wrote the program, what language the program was written in, or applications that the malware depends on (Carbanak 2019). After running strings on the malware, the team discovered three readable characters – VNC. VNC is a remote desktop application that allows someone to operate another machine while viewing the desktop as if sitting in front of the computer (Carbanak 2019). The team recognized this and then knew right away, not only did this hacker gain access to the most secure server on this network, but the hacker was more than likely watching everything they are doing on the computer at that moment (Carbanak 2019). So the Kaspersky Labs team opened up a word document and typed, “Hello” and waited. After a moment, the pointer started to move on its own and the attacker wrote back, “Hello” (Carbanak 2019). Kaspersky Labs moved quickly to quarantine the malware and research as much as possible about the malware before removing it (Carbanak 2019). Because of their research, they were able to quickly identify similar malware on the bank’s other machines, using a script, and remove the files from the network (Carbanak 2019).
Kaspersky, the owner of Kaspersky Labs, talked to Europol and informed them about the recent attack they witnessed which brought Kaspersky Labs into a collaboration to prevent this malware from spreading to other areas throughout Europe (Carbanak 2019). Through collaborative efforts, they found a second command and control server located in Holland. This was fortunate because Europol was able to confiscate the server and give it to Kaspersky Labs to inspect and read the source code for the malware (Carbanak 2019). After careful review they found an implementation mistake that allowed the research group to perform an HTTP request to any server with a “/0” at the end of the address and – if the server was infected with the malware – a very specific error would be produced (Carbanak 2019). This allowed the team to locate and remove all instances of the malware command and control servers world-wide (Carbanak 2019).
Following the collapse of the US-North Korea summit in Hanoi, Vietnam, the North Korean government has been desperate for cash in light of the harsh US sanctions placed upon them; however, the imposed sanctions are driving a surge in North Korean cyberattacks focusing on banks and businesses in the US and it’s allies (Perez, 2019). The assistant attorney general for national security at the Justice Department, John Demers, claims North Korea’s cyber capabilities have quickly advanced to the level of Iran, China and Russia (Perez, 2019). Nevertheless, North Korea seems to maintain their vision towards obtaining money, whereas other countries focus more on intelligence operations (Perez, 2019). The North Korean hackers have been preying on target institutions that have less advanced cyber capabilities (Perlroth, 2019). An example of such confrontations would be the 2016 attacks on the Bangladesh Bank systems where North Korean hackers, backed by Pyongyang, posed as job-seekers and sent simple spear phishing emails to bank employees with links to malware, which allowed the hackers to gain access from the bank server (Perlroth, 2019). Once inside the banks computer network, the Hackers allegelly gained access to an inter-bank communications system and requested the Federal Reserve Bank of New York to transfer the bank’s funds to accounts in separate institutions controlled by the North Koreans (Perlroth, 2019). Despite US law enforcement actions, the North Korean hackers operate more similarly to an espionage operation, quietly collecting reconnaissance within the compromised financial institutions, and balance financially motivated objectives with learning about internal systems (Perlroth, 2019).
A recent report from the U.N. Security Council revealed that Pyongyang’s hackers have hauled in around six hundred seventy million dollars in foreign currency and cryptocurrency (Perlroth, 2019). The 2015 attack on the Central Bank of Bangladesh produced eighty-one million dollars (Perlroth, 2019). In 2018, India’s Cosmos Bank was exploited for 13.5 million dollars (Perlroth, 2019). This year, hackers infiltrated the Bank of Chiles ATM network and managed to siphon off 10 million US dollars (Perlroth, 2019). Ultimately, North Korea is learning how to perform these hacks out of necessity and looking to public hackers to learn from their techniques. There is a cyber war taking place right now between Nation States and losers are paying for it.
Barrett, B. (2019, February 20). ATM Hacking Has Gotten So Easy, the Malware’s a Game. Retrieved April 29, 2019, from https://www.wired.com/story/atm-hacking-winpot-jackpotting-game/
Carbanak APT. (n.d.). Retrieved April 29, 2019, from https://www.kaspersky.com/resource-center/threats/carbanak-apt
Criminals’ ATM trick: Reprogram, swipe cash. (2007, June 30). Retrieved April 29, 2019, from http://old.post-gazette.com/pg/07181/798367-85.stm
Devdreux, C. (n.d.). The Biggest Digital Heist in History Isn’t Over Yet. Retrieved May 2, 2019, from https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet
Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain. (2018, April 01). Retrieved April 15, 2019, from https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
Mathews, L. (2019, March 11). North Korean Hackers Have Raked in $670 Million Via Cyberattacks. Retrieved May 1, 2019, from https://www.forbes.com/sites/leemathews/2019/03/11/north-korean-hackers-have-raked-in-670-million-via-cyberattacks/#482f71297018
Newman, L. H. (2018, January 31). A Devastating ATM Hack Swept the World-And Finally Hit the US. Retrieved April 30, 2019, from https://www.wired.com/story/jackpotting-atm-hacks/
Newman, L. H. (2019, April 10). A New Breed of ATM Hackers Gets in Through a Bank’s Network. Retrieved April 28, 2019, from https://www.wired.com/story/atm-hacks-swift-network/
Perez, E., & Shortell, D. (2019, March 01). North Korean-backed bank hacking on the rise, US officials say. Retrieved April 30, 2019, from https://www.cnn.com/2019/03/01/politics/north-korea-cyberattacks-cash-bank-heists/index.html
Perlroth, N. (2019, March 03). As Trump and Kim Met, North Korean Hackers Hit Over 100 Targets in U.S. and Ally Nations. Retrieved May 1, 2019, from https://www.nytimes.com/2019/03/03/technology/north-korea-hackers-trump.html
Tyupkin Virus (Malware) ATM Security. (n.d.). Retrieved April 29, 2019, from https://www.kaspersky.com/resource-center/threats/tyupkin-malware-atm-security-malware
Winn, P., & Winn, P. (2018, May 16). How North Korean hackers became the world’s greatest bank robbers. Retrieved April 30, 2019, from https://gpinvestigations.pri.org/how-north-korean-hackers-became-the-worlds-greatest-bank-robbers-492a323732a6
