How to Be Safe Online

How to Fight the Next $1 Billion Bank Hack

For starters, assume you’ve already been hacked.

One way hackers stole from banks was by seizing central control of the banks’ ATMs to set the terminals to spit out money spontaneously, where they had accomplices waiting to collect the cash.

Photo illustration by Slate. Photos by Thinkstock.

Good news! A major hack you don’t have to worry about! Unless, that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that’s come to be known as Carbanak or Anunak. If you are, then you have a problem, because these hackers, and no doubt others to come, aren’t targeting banking consumers but the very internals of banks, silently monitoring their systems and subtly defrauding them. Unlike most cybercrime, this wasn’t a holdup, but a bank heist—the kind that could ultimately affect both consumers and governments. And that’s why we should all be paying attention.

Skill-wise, the attack is on the order of November’s Sony Pictures hack. (So much for the FBI’s claim that the Sony hack was unprecedentedly scary.) It was a long-term effort, professionally executed, and required a fair amount of organization and coordination to pull off. These aren’t just script kiddies stealing people’s credit card numbers. The hackers managed to compromise the systems of banks, but rather than immediately grabbing information and alerting their targets to their presence, they would quietly observe the inner workings and transactions for months. They were then in a position to subtly manipulate the system in order to cash out. According to a report from software-security company Kaspersky Lab, the hackers obtained up to $1 billion through dozens of attacks over the past two years.

There are several things worth noticing. First, the initial compromises of the systems were possibly the simplest and dumbest aspects of the attacks. The hackers would enter a system through the tried-and-true method of “phishing”—sending emails to employees that purport to come from a trusted sender inside the company. (This approach, attacking a specific organization, is called “spear phishing.”) The employee opens an attachment in the email, which immediately compromises the system. These hacks used Windows and Office document files that, when opened, injected malware into the target’s computer, more or less giving the hackers total control.

What they did with this control, however, was more sophisticated. The hackers monitored the keystrokes of the computer and took screenshots every 20 seconds, giving them a very clear picture of the daily internal workings of a bank. And instead of attacking customer accounts, which are more closely monitored for fraud, the hackers went after internal fund mechanisms. First, they inserted fake transactions into the SWIFT transfer network to distribute money to other banks and credit cards. Second, and rather ingeniously, they attacked ATMs directly. Seizing central control of the banks’ ATMs, they set the terminals to spit out cash spontaneously, then had their accomplices (“money mules,” as Kaspersky terms them) visit the ATMs at the right time to collect the dosh.

The exact scope of the attack is still up for debate. According to Kaspersky, the group targeted banks in 30 countries, though primarily in Russia, and Kaspersky suspects it obtained about $1 billion. A more detailed, earlier report from December from Group-IB and Fox-IT confined the attacks to Russia and placed the damage in the hundreds of millions.

In terms of efficiency, these attacks are vastly more impressive than most hackers can ever hope to achieve. Though the efforts required time, each individual compromise raked in $10 million. Each hack remained undetected for its duration, and some banks were compromised multiple times. Since nearly all of the money wasn’t tied to any particular customer’s account, the thefts were mostly invisible to consumers, so no individuals raised red flags. And with incidents like a Russian bank threatening a customer who successfully got it to accept his credit card terms, I don’t think too many people are shedding tears for the poor financial institutions. Plus, consumers face bigger threats from the more recent Dyre and Dridex banking Trojans, which hijack browsers to obtain user credentials, even managing to defeat two-factor authentication in some cases.

For banks and other institutions, though, Carbanak’s sophisticated attacks are scary for two reasons. (Brian Krebs reports that the same group may have also compromised Staples and Bebe to obtain credit card information, so it’s not just banks.) Along with the Sony hack, these kinds of breaches entail obtaining long-term and in-depth access to targeted systems in order to cause the most damage (financial or otherwise). That means there are two facets of security that companies need to worry about.

First, there’s that primitive initial compromise. It’s somewhat embarrassing that a phishing attack can end up compromising more or less the entirety of a bank’s systems, but that’s exactly what happened here. There was no complicated exploit of some unknown security hole or cracking of passwords; an employee just needed to open an attachment file (usually a Word document) in a phishing email, which then exploited known vulnerabilities in unpatched Office software. These vulnerabilities were patched by Microsoft years ago (most recently in March 2014). At a minimum, banks need to keep their software updated with security fixes, but beyond that, they also need to scan all incoming attachments and clamp down on the ease with which employees open them.

The manipulation of the system that followed was on a whole other level. Until banks and other institutions can reliably keep their employees from opening bad links and files inside of phishing emails, they must simply assume they are quite vulnerable to attack. Since Carbanak/Anunak’s attacks required weeks of monitoring before it could perform its high-stakes thefts, institutions need better internal auditing mechanisms to make sure their transactions are actually being performed by their employees, rather than by skillful remote hackers. It’s better to assume your system is already compromised and look for evidence of unwanted manipulation than to have faith in a bulletproof outer shell, because let’s face it, if you’re getting compromised by phishing emails, you are a long way from bulletproof. This may even require setting up fake internal honeypots for thieves and other creative mechanisms, so banks can detect intrusions. Since hackers sometimes look to exploit existing latent malware already present on a network, injecting fake malware into bank networks could help catch hackers on first contact, like a reverse Trojan horse.

Banks have every incentive to keep these attacks quiet, given that they aren’t keen on losing the confidence of their customers or of their investors. The comparative quiet around them should not be met with complacency. The potential upside for thieves is so great that a lot of evident skill is going into these hacks, resulting in what appears to be a growing arms race between institutions and hackers with increasingly sophisticated arrays of malware and botnets, not to mention tons of time and energy. From the looks of it, the banks are pretty far behind.