Kaspersky Lab has said that the Carbanak attackers are targeting financial entities directly in an unprecedented, determined, highly professional and coordinated attack which is still ongoing.
Named Carbanak as it based on the Trojan Carberp and the name of the configuration file is “anak.cfg”, Kaspersky’s analysis says that according to what it has found, the first malicious samples were compiled in August 2013 when the controllers started to test the Carbanak malware.
It said that the first infections were detected in December 2013, and the gang were able to successfully steal from their first victims during the period between February-April 2014, while the peak of infections was recorded in June 2014. It believed that the campaign is still active, while Dutch security investigations firm Fox-IT said in its update that “since early December, the group has decreased their activities and might now have even stopped entirely”.
Fox-IT said: “We don’t have evidence that the group is currently very active, but they might start at any time they want. Another option is that they have started again and we simply have not received any reports and evidence of their new activity.”
Kaspersky Lab said that detection of Carbanak began upon investigating the hard disk of the ATM system, and later when the CSO of a Russian bank said that data was being sent from their Domain Controller to the People’s Republic of China.
“When we arrived on site, we were quickly able to find the malware on the system,” it said. “We wrote a batch script that removed the malware from an infected PC, and ran this script on all the computers at the bank. This was done multiple times until we were sure that all the machines were clean.”
Martin Lee, cyber crime manager at Alert Logic, said: “Forensic examinations take a long time to conduct. Once discovered it is quick and easy to announce that malware has been found, however it takes many weeks and months of forensic examination to identify exactly what which systems were affected, what was stolen and how far did the attack spread. I think what we are seeing here is the results of the in depth investigation being released.”
Asked why he felt that a group which ceased activity three months ago was receiving attention now, TK Keanini, CTO of Lancope, said that there could be several reasons: that these are advanced threat actors and while it may seem like they are laying low, he was certain that they are working on new techniques as their old tools and techniques have been discovered.
“Also, so many other events were happening that this particular attack and criminal group was just caught up in the noise,” he said. “There are many variants of crimeware or banking malware and these threat actors are just one of the groups. These numbers are growing, not shrinking."
“Also attribution takes time and is ultimately very hard to do with in the digital domain. These groups were also employing physical processes in their acts and if this were all digital, the attribution would have been incredibly difficult.”
Looking at the pattern of stealing $1 billion (£650 million) in two years from 30 countries, Keanini said that it is safe to say that there are banks in other countries that maybe were even more vulnerable at this point in time, but the overall pattern is that while IT systems are similar in operation, their defences and detection systems vary greatly and it is here that the attacker sets out their tactics and strategies.
“The pattern is so common in the fact that the techniques used by these attackers were predictable and sequential, and yet these victims were all unable to detect these operations,” he said.
“The attacker must be thinking ‘we have something that works, let’s just keep using it globally’, and so they did. Anywhere where there is an IT system used for business, this attack strategy would work and so many systems are still vulnerable to this type of attack.”