Carbanak - The Great Cyber Bank Robbery

Kaspersky Lab have recently made public some details of a cyber criminal gang dubbed "Carbanak"

Kaspersky Lab have recently made public some details of a cyber criminal gang dubbed “Carbanak”, who have reportedly compromised more than a hundred financial firms across the world and netted millions in stolen funds in the process. In December 2014, Fox-IT in collaboration with Group-IB published a report on a group named Anunak that had successfully conducted similar compromises of banks in Russia. These groups are reportedly one and the same.

The Fox-IT report can be found here and the Kaspersky report here.

In essence, the attackers used the well known spear-phishing technique to trick bank employees into unwittingly providing remote control of their computers. The attackers then proceeded to jump from computer to computer and watch banking employees conduct their daily activities. They sat, watched and waited for a very long time until they had learned and observed enough to allow them to execute their heist.

It all sounds very dramatic and has the appeal of a Hollywood heist movie. Sadly this is not a work of fantastical fiction and more a reality of the threat profile that many organisations face every day as they go about their business. However there is some good news, and something the public should be aware of that may make them sleep a little better at night. There is no need to be swept along with the hyperbole that normally accompanies an event of this scale and magnitude. Whilst this event illustrates an increase in capabilities and levels of attacker sophistication, the UK security industry is prepared for this ‘levelling-up’ of the cyber criminal fraternities and the cyber threat. Measures are already in place to deal with the problem, and have been for some time.

MWR has been working with a broad portfolio of clients for many years, helping them face many complex and unique security challenges. The UK has one of the most mature cyber security postures in the world and this is evidenced by the respect the world has for our professional organisations and schemes (e.g. CPNICESG and CREST). Most recently, these schemes have been extended to provide a framework specifically designed for financial firms such as those targeted by Carbanak, it is also very applicable to non financial firms also. The schemes are known as CBEST and CSTAR, and MWR has been successfully assessed to supply penetration testing services as part of the scheme. CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. More details of the schemes can be found on the CRESTwebsite

The public can have every confidence that those financial institutions engaged in the scheme are doing everything they can to protect themselves and their customers finances. Under the scheme, UK financial institutions submit themselves to simulated attacks, designed specifically to emulate the activities of real-world hackers – in order that they can better defend their systems when the attack comes for real. Any organisation undergoing such tests is going to be able to combat advanced threat actors and have an increased cyber resilience to such targeted attacks.

It comes as no surprise to MWR that the initial foothold was obtained by the attackers, as reported in the Carbanak extracts, via a phishing attack. This technique continues to be a winning strategy over and over again, as those at MWR Phish’d will testify. When we run controlled phishing assessments against clients for the first time, it isn’t uncommon to see more than 60% of employees clicking links or opening attachments in our suspect emails – with almost all of those users then going on to disclose sensitive credentials such as login details.

Driven by compliance requirements, a large number of organisations run security awareness training which often gives a false sense of security. Compliance, alongside providers of security awareness training have promoted the belief that raising awareness of security topics such as phishing and social engineering makes an organisation more secure. Unfortunately whilst this approach does have it’s place as part of a wider security programme, raising awareness alone doesn’t change employee behaviour. Many users that fall for phishing emails are aware of what phishing is – so in MWR’s experience, organisations can’t purely rely on raising awareness. We’ve seen greater success when organisations focus their efforts on changing behaviours and use regular simulated assessments, combined with targeted and relevant point-in-time education.

The Carbanak attackers, once they had obtained their initial ‘beach head’, managed to maintain access for a very long time with their activities going unnoticed. If the initial attack is missed, there is a small window of opportunity for the defensive team within the compromised organisation to react, if they are looking for the right indicators of compromise (IOC). It is very likely that the compromised finance firms relied on numerous SIEM solutions to defend their environments. The breaches however illustrate that reliance on technology alone is not going to get the job done.

It is MWR’s experience that a motivated and creative human attacker will almost always beat off-the-shelf compliance driven defences. MWR’s cyber defence and incident response teams (one of the select few appointed by GCHQ and CPNI to be part of the UK Cyber Incident Response scheme) have found when working with clients to defend and respond to similar attacks, that they are almost impossible to detect if you don’t have the right human intelligence augmenting deployed defensive technologies. Details of the CIR scheme can be found here.

It may seem odd to some that the attackers waited so long before making away with their bounty. Especially as some breaches have been reported as being initiated back in 2013. Well, this is where perhaps a Hollywood script writer may gloss over some very boring and mundane facts about just how unsexy (for some) hacking can be.

The funds transfer systems employed by financial organisations have many moving parts. Contrary to popular belief, it’s not that easy to siphon out cash, not at the push of a single button at least. There are a number of digital and physical stacked safeguards, countermeasures and processes in place. This is why the attackers observed the Bank’s employees for so long. MWR’s methodology when contracted to conduct simulated exercises of this nature, is very similar to that employed by the attackers. It takes a long time to fully understand the inner workings of a financial institution and their procedural and digital nuances. For example a transfer of £100,000 to a fraudulent account may go unnoticed in an institution that is used to transferring in excess of £100,000 per transfer, however in another organisation that amount wouldn’t be authorised and would actually set the alarm bells ringing. These rules are personal to each financier.

The tradecraft employed differs from attacker to attacker, however in principle most apply a similar approach. Once an initial foothold is obtained, the threat actor will perform internal reconnaissance looking to identify opportunities for lateral and vertical movement within the network. They’ll also begin to locate key systems and escalate their privileges. Once this activity is complete, they will often go very quiet, then wait and watch. A SIEM run by a competent team of security professionals, who are threat-intelligence driven and who understand the threats to the business, can defend the network. However, an augmented intelligence driven approach is key.

At the start of this post, we actually wanted to provide some reasonable sanity around the whole story and not to get swept along with the hyperbole of the “The Great Cyber Bank Robbery”. We hope that what you can takeaway is that with organisations like MWR providing a proven portfolio of mature cyber security services to all organisations of all shapes and sizes across the UK, not just within the financial sector under the professional and guaranteed frameworks provided by respected organisations such as CESGCPNI and CREST, the UK is more than ready to deal with the cyber threat.

 

 

Accreditations

As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
We are certified in the ISO 9001 quality management system (QMS) in the UK, ensuring reliable delivery of our products and services.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.