More details are emerging on the international cybercrime ring based out of Eastern Europe who made off with some $1 billion in two years from 100 different banks in nearly 30 countries.

Their main attack venue was spearphishing emails with a CPL or Word document attachment, sent to employees of financial firms and retail organizations. Computers were then infected with a Trojan backdoor that collects data, and provides remote access to the machines. The code used in the malware was digitally signed and appeared to many vulnerability scanners to be legitimate code.

In some cases, the vulnerabilities exploited were in Microsoft Office software, rather than in the operating system itself. Apparently some of the companies who were hacked were updating system software regularly, but neglecting to patch applications as frequently. Reports indicate that multiple vulnerabilities were targeted, and some companies were compromised multiple times.

After a machine was penetrated, the attackers moved through the network in search of more attractive targets to attack (such as administrators machines). When a network was compromised, they used a collection of seemingly unrelated malware aimed at exploiting virtually every point of possible vulnerability, The attacks eventually allowed them to divert funds from many systems – ATMs to retail point-of-sale to SWIFT – the Society for Worldwide Interbank Financial Telecommunication. The criminals managed to stay in compromised networks and well under the radar for almost a year.

It’s also believed that attackers used video surveillance to snoop on employees and executives. Watching how people worked allowed the criminals to understand the processes used in compromised firms to, for example process high amount wire transfer transactions or program consumer-facing devices. Knowing what processes were used allowed the criminals to avoid making mistakes that might point to their presence in the compromised systems.

Several security companies, including Kaspersky Lab which finally pulled all the pieces together, had been investigating odd ATM behavior over the past year. But this was no ordinary malware – there was no need for the attacker/s to have direct physical access to the ATM or POS to install the malware. Instead, the ATM had been remotely reprogrammed from a networked source. Attackers were able to make the ATM produce money on demand. All they needed was someone to be on the scene at a pre-determined time to pick up the cash.

The malware (and the gang that wields it) has been named “Carbanak.” The malware is now classified as an Advanced Persistent Threat (APT) An APT it is a continuous, stealthy hack attack which is intended to remain active over an extended period of time. Most APT attacks target a specific nation, industry or organization. APTs tend to be very sophisticated attacks, conducted by well-funded criminal organizations. This funding can come from governments or organized crime.

Kaspersky Lab, along with many other security firms including BAI Security, sees Carbanak as a global threat, and says that shutting down the entire criminal organization won”t be easy.

So far, as noted above, financial and retail sectors have been the primary targets. The countries that have been hit the hardest are Russia, followed by Denmark and the US. Financial institutions in Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, UK, Poland, Pakistan, Nepal Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia have also been affected.

Companies can mitigate the risk of falling victim to a Carbanak attack with basic security best practices:

  • Be extremely wary of opening an emailed attachment or following a link embedded in an email, no matter who it appears to come from.
  • Provide comprehensive training on spearphising and social engineering.
  • Update *all* software on a regular basis.
  • Use malware detection that utilizes heuristics, for earlier detection than signature-based solutions can typically provide.
  • Have regular security compromise assessments performed by a third-party security firm to ensure that malware hasn’t crept into the network.


A BAI Security Compromise Assessment searches for anomalies on all endpoints in real time, using nonintrusive forensic software that detects Carbanak along with other, equally malicious, malware. Find out more here.