Carbanak: Theft of the Century


Advanced Persistent Threats (APT) use the most sophisticated hacking tools. This topic is a horse of IT security experts, but the average Kowalski is not interested in such threats.

For many people, some of the most common attacks are fiction. Until recently, APT attacks were not discussed as most of them were aimed at governmental organizations, so all details of the investigation were kept strictly confidential and the economic impact was difficult to quantify for obvious reasons.

However, something is changing in this regard: APT attacks have already appeared in the commercial sector, or more precisely, in the banking sector. Here the results are much easier to estimate: the losses caused by the APT campaign against dozens of global financial institutions amounted to one billion dollars.

Attack vector

To penetrate the bank’s internal network, attackers use spear phishing messages, trick users into opening them, and then infect hardware with malware. On the computer, victims install a backdoor with Carberp malicious code, which gave the campaign its name – Carbanak.

After gaining control over a hacked machine, cybercriminals used it as an entrance door; they investigated the bank’s internal network and infected other computers, seeing which one could help them gain access to critical financial systems.

The criminals then analyzed the financial tools used by the banks, using keyloggers and stealth screenshots.

Finally, hackers withdraw funds, defining the most convenient method on a case-by-case basis – for this they used SWIFT, created artificial bank accounts from which cash was withdrawn by special persons called mules, or remotely sent instructions to an ATM.

It took the thieves an average of two to four months to rob each victim’s account, from the first day of infection until the cash payment.

Estimating losses

Either way, criminals have robbed every bank user of $ 2.5 million to $ 10 million – the amount looks stunning, even when judged individually. Given that tens or even hundreds of organizations have lost their funds due to the APT attack, the total could be as high as $ 1 billion.

Countries hit hard by the attack were Russia, the US, Germany, China and Ukraine. Currently, Carbanak is expanding into new territories, it has already been registered in Malaysia, Nepal, Kuwait and several African countries.