wired.co.

uk/article/carbanak-gang-malware-arrest-cybercrime-bank-robbery-statistics

iStock / Hilch

Breaking into a bank doesn't require drilling through 20 inches of reinforced concrete. In
fact, you don't even need to enter a vault at all. Towards the end of 2013, ATMs in Ukraine
started spitting out free cash to passers-by. Among those filling their pockets were mules
waiting for the money to be dispensed.

The ATMs of affected banks – none of which have ever been named – had been targeted
by hackers installing malware within the financial institutions' computer systems. Once
compromised, the cash machines could be remotely controlled and made to dish out
money at will.

One organisation lost $7.3 million from ATM fraud, security company Kaspersky detailed
following the attacks in 2015. "There will be hundreds of people [involved]," says Sergey
Golovanov, a principal security researcher at the Russian cybersecurity firm. "Dozens of
people that are working 27/4, that would be the real scale of the Carbanak group."

The Carbanak cybercrime group, named after one piece of malware it used to access
banking systems, is suspected of stealing €1 billion from financial organisations since its
early attacks in 2013 and has targeted more than 100 financial institutions in at least 40
countries. The UK, Spain and Russia are among the countries targeted within the last four
years.

Golovanov, who was first to publicly detail the group's activities three years ago, likens its
work to that of state-sponsored hackers, taking several months to complete its attacks.
Kaspersky's 2015 research says spoofing ATMs into dispensing cash is just one way the
group has made money.

Carbanak also infiltrated the systems of banks to transfer money into its own accounts and
altered databases. It would artificially inflate the amount of money in an account and then
transfer this to other accounts. One financial group is claimed to have lost $10 million due

1/4
to the exploitation of its online banking platform.

Each time a hit happened, there was one thing in common: members of the group were
inside the bank's internal systems. "Carbanak [malware] contains an espionage component
that allows the attackers to take control of video capabilities on the victim systems,"
Golovanov's 2015 report said. The surveillance allowed attackers to understand what
genuine transactions would look like, making their theft look genuine.

"They will drop millions and these millions will be pushed through the money laundering
system," Golovanov says. "And then on to the next target."

As temperatures in Alicante, Spain, hit highs of 18°C on March 6, 2018, around 20 law
enforcement officials swooped on a house in the city. Inside they arrested a man they say is
the head of the billion Euro Carbanak cybercrime group. He has been named by Spain's
Interior Ministry as 'Denis K' and is said to be Ukrainian.

Spanish authorities and Europol announced the arrest last week after what they called a
"complex" investigation. The investigation into his alleged activities is continuing with law
enforcement examining the computers and devices found in his home.

The hunt for Carbanak's leader involved financial groups that had lost money, the FBI,
Moldovan, Belarussian and Taiwanese authorities. In making the arrest, Europol confirmed
Kaspersky's 2015 research. "This is something we have been waiting for for a long time,"
explains Fernando Ruiz, the head of operations at Europol's European Cybercrime Centre
(EC3).

Ruiz claims the arrested man was the mastermind at the head of the Carbanak
cybercriminals. "We consider this as one of the most important arrests in the last years
because this person, arrested in Spain, was the person actually coding the malware," he
explains. Europol has also stated the group was developing the malware it used.

"This person was technically excellent, he was able to identify vulnerabilities and code the
malware to exploit these vulnerabilities." Ruiz, who helped to coordinate international
efforts to track down members of Carbanak, claims. He also believes the group was
planning more cyberattacks against financial groups. "There are not many criminals with
this knowledge, with this capacity to develop this kind of malware," he says. There was,
Ruiz states, "new malware recently tested and recently produced, ready to be deployed."

Legal proceedings against Denis K are ongoing. It is now up to police and prosecutors to
prove the allegations they have made against him. So far, Europol has not revealed any
public evidence to back-up its claims.

Separately, Spanish police inspector Carlos Yuste told Bloomberg he believes Denis K
worked with three other gang members, who didn't know each other and chatted online.
Ruiz adds the arrested man was on the radar of Spanish authorities for "quite some time"
but it needed international law enforcement to help build a case.

The key to tracking the man down to his Alicante home was through Taiwan and Belarus,
Ruiz says. A report from Europol and security company Trend Micro published last year
details how both countries saw ATMs dispensing cash to mules.
2/4
The report says $2.5m (£1.78m) was stolen from 41 Wincor Nixdorf ATMs operated by First
Commercial Bank in Taiwan during July 2016 "without using cash cards or even touching
the PIN pads". After the attack arrests were made and malware was found within the
bank's system. "These were one of the typical ATM network attacks in Taiwan. They got
access to the network in Taiwan and cashed out the money to mules," Ruiz says.

"The police were able to arrest a number of these mules so we started to co-operate with
Taiwan to see where this was coming from. This was an important element as this led to a
group in Belarus and there we were able to connect this target. We were able to connect
Taiwan, Belarus and Spain through the information exchanged with partners."

Europol says "criminal profits" were laundered via cryptocurrencies. "Prepaid cards linked
to the cryptocurrency wallets which were used to buy goods such as luxury cars and
houses," the international agency said in its statement.

A report in El Mundo, Spain's second-largest newspaper, claims Denis K owned 15,000

bitcoins (currently valued around £84m) at the time of his arrest. Catalan newspaper El
Periódico de Catalunya reported that the arrested man lived with his wife and son, drove
two BMWs and had jewellery valued at €500,000 within the home. Police did not know what
technical equipment may be inside the house so sent an array of digital experts to examine
it, Ruiz says.

Carbanak's criminal infrastructure may have been sophisticated but its initial methods of
getting inside banks has been reassuringly familiar. Both security firm Kaspersky and
Europol say spear-phishing emails were sent to members of staff.

Starting around 2013 legitimate-looking email messages were sent to members of staff
inside banking organisations. As is common with spear-phishing campaigns these appear
to be sent from trusted senders and included attachments in the form of Word 97-2003
documents or control panel files.

Around the end of 2014, before Kaspersky published its report, two other security
companies Group-IB and Fox-IT spotted the crimes of the Carbanak group and noted it was
using malware called Anunak. The two firms later said all the companies were looking at
the same cybercrimes.

Kaspersky's original report claims the malware contained within the attachments exploited
vulnerabilities within Word and Office to open a backdoor called Carbanak. This backdoor,
which was based on Carberp malware, allows for "espionage, data exfiltration and to
provide remote access to infected machines". From here, Kaspersky says, attackers were
within the networks of financial groups and could conduct surveillance on usual activity and
then replicate it to steal money.

Once downloaded, the malicious software allowed the criminals to remotely control the
victims’ infected machines, giving them access to the internal banking network and
infecting the servers controlling the ATMs. This provided them with the knowledge they
needed to cash out the money.

3/4
"We have seen an evolution in how criminals have been targeting the financial networks,"
Ruiz says. From 2016, it is claimed, the malware used by the Carbanak group was
changed. It started to use "tailor-made malware" that was based on the Cobalt Strike
penetration testing software. Cobalt Strike is legitimate piece of software that's used to
simulate cyberattacks and its modification by Carbanak was used to remotely control PCs.

"It wasn't just one type of malware, it was several types of malware," says Keith Gross, the
chair of the European Banking Federation's (EBF) cybersecurity working group. The
investigation into Carbanak was the first time the EBF has actively worked with Europol
ahead of an arrest being made.

"The mastermind was getting more sophisticated types of malware and improving on the
existing types of malware," Gross adds. "I believe there was a treasure trove of information
gleaned from his arrest in terms of the equipment seized by Spanish law enforcement. A
Pandora's box so to speak."

It's currently unknown exactly how many other people may have been working for the
Carbanak group and officials still need to prove to courts that Denis K is guilty of the
alleged crimes. Yuste told Bloomberg "the head has been cut off". However, Kaspersky's
Golovanov says there may still be some activity from the group. "Right now we see that the
infrastructure criminals were using for their robbery is still operational," Golovanov says.
"We've predicted there will be less scale and it will be much less easier for them to work."

4/4