East European Banks Cyber Robbed: How Did They Do It?
Below, Thanassis Diogos, Managing Consultant, SpiderLabs at Trustwave, discusses with Finance Monthly the intricate planning and plotting behind the recent Eastern European cyber hack on banks, which combine both physical and cyber stealing methods. Trustwave believe that this attack has the potential to spread to the UK and around the world.
Earlier this year Trustwave was called in to investigate several security breaches which had affected banks in Post-Soviet countries. These attacks appeared to be a hybrid of physical and cyber techniques with people used as mules to open new bank accounts, and cyber specialists using their skills to hack into the banks systems. Banks which had been compromised suffered significant monetary losses, somewhere between USD$3 million and USD$10 million. Trustwave’s investigation also discovered that the attacks shared common features. These identifiers included large financial losses originating from apparently legitimate customer accounts and all thefts taking place at ATM locations outside of the banks originating country, where the money was withdrawn using a legitimate debit card.
In some cases, the banks were not aware they were being breached until the attack was complete. However, there were cases where the malicious activity was picked up by third party processors, who are responsible for processing credit and debit card transactions. Despite the large sums being stolen, the thefts were hard to detect thanks to the use of debit cards acquired legitimately through the standard in-branch application process.
A closer look
Upon investigation of the third-party processors and the affected banks, we found a completely unique modus operandi behind the breaches. The criminal gang had used innovative attack tactics, techniques and procedures to successfully complete the attack campaign. The attack itself comprised of two physical stages which top and tailed the attack – the mules opened bank accounts in the initial phase and withdrew the funds in the final ATM cashing out phase. The cyber-attack compromised four stages beginning with obtaining unauthorised access to the banks network, compromise of the third-party processors network, obtain privileged access to card management system and finally activate the overdraft facility on specific accounts.
Method in the madness
The criminals hired a number of mules and provided them with false credentials, so they could open new accounts in branch. On opening the accounts, the mules requested to receive debit cards with the account, and the cards were then passed on out of the originating country to a group of international conspirators. It is not unusual to request a debit card with a new account as the balance of the account is directly related to how much money is available.
Whilst these numerous bank accounts were being opened in branch, the cyber part of the attack was already under way. Members of the criminal gang hacked into the victim banks’ internal systems and manipulated the debit cards features to allow very high overdraft limits or no overdraft limit at all, and also removed any anti-fraud controls in place on specific accounts. Almost simultaneously the operation continued in the countries where the debit cards had been sent to. The cards were used to make large withdrawals from a number of ATM’s which had been carefully selected because they had high or no withdrawal limits. Locations were also chosen to be remote and have either no or obscured security cameras. During the following few hours the operation concluded with a sum between USD$3 million and USD$10 million being withdrawn from each bank.
Recommendations to banks
There are measures which banks can take to help mitigate these kinds of attacks. A proactive program such as managed detection and response (MDR), also known as threat hunting is recommended. Implementing a threat hunting program will allow banks to detect threats early on and mitigate them before they have the opportunity to do any real damage. Banks should also prepare incident response plans and have them well documented and tested so they are fully prepared to act swiftly if such incidents occur.
Unfortunately, the success of these attacks could be attributed to the lack of coupling between the core banking system and the third-party card management system. Had these two systems been integrated correctly the changes to the debit cards overdraft limits would have been red flagged much earlier on. A second example of non-technical control failure is that several accounts on the card management system were able to both raise a request for a change and approve the change. This process is a violation of a commonly used control used in banks and banking applications called Maker-Checker. Banks are therefore advised to undertake frequent cyber security risk assessments to detect and mitigate this type of control weakness.
Currently the attacks have been localised to Eastern Europe and Russia, however, we believe that they do represent a clear and imminent threat to financial institutions in Europe, North America, Asia and Australia over the forthcoming months. During the course of the investigation it was discovered that bank losses currently stand at around USD$40 million. However, this does not account for undiscovered or un-investigated attacks or investigations undertaken by internal groups or third parties, the total losses could already run into hundreds of millions of USD. We would advise all global financial institutions to consider this threat seriously and take necessary precautions.