Carbanak set to double down on $1 billion heist

News by Max Metzger

Proofpoint has found what it believes to be the event horizon of the huge attack campaign by the Russian APT group, Carbanak.

Proofpoint has spotted what it believes to a massive cyber-attack campaign on the horizon. The company's research identifies Carbanak, the Russian APT group, as back in business.

Proofpoint has detected the group targeting executives in the finance sector all across the Middle East, the US and Europe, although the majority work in Middle eastern countries. 

The campaign, Proofpoint found, was not limited to finance but targeted media companies as well as slightly unusual targets who work in air conditioning, heating and fire safety.

Proofpoint also picked up on the use of Spy.Sekur, Carbanak's own malware and remote access trojans (RATs), like jRat, Netwire and Cybergate.

Carbanak normally works within Russian speaking countries, but this new foray into the wider world has led Proofpoint researchers to believe that they've found groundwork for something big.

Proofpoint believes that these are signs that Carbanak's infamous $1 billion heist in 2015 is set to be repeated. The research notes: “Estimates suggest that the 2015 attack required three to four months from initial infection to theft, which raises the question of whether this is the beginning of the next billion-dollar attack. Based on our research, it appears that we are observing the early stages of an attack employing new exploits, malicious document attachments, and RATs to target new groups outside their usual Russian domains.” spoke to Kevin Epstein, VP of Threat Operations Centre at Proofpoint. From the observed facts, he said he can only conclude certain things, but those things point in a certain direction. 

He told us via email: “A group who appears to be the same as those reportedly responsible for a previous $1 billion heist (Carbanak) is actively deploying a similar infrastructure targeting assets that are likely worth at least twice as much. The attacker infrastructure observed includes malicious document attachments, URLs linking to documents with known Microsoft Office exploits hosted on websites, and sophisticated malware."

Carbanak has carved out a place among the APT groups of the world. Known for stealing from financial institutions, the group was discovered last year by Kaspersky Lab, infecting banks with malware deployed by phishing emails.

The group would use all manner of creative techniques to defraud their targets including artificially inflating the balances of accounts and then stealing the difference. Some believe that Carbanak's ill-gotten gains ran as high a $1 billion (£700 million).

Carbanak is one of the peculiar groups that though classified as an APT, doesn't appear to be state-backed. Though APTs are traditionally thought of as the cyber arms of national intelligence agencies and powerful state security bodies, groups like Carbanak seem to buck that trend. Epstein told SC that despite that fact, Carbanak is still a classic APT. 

"The term is completely accurate - the attack and technologies used are advanced, persistent, and an ongoing threat - but this is yet another example of the continued blurring of lines as criminals use the same grade of technology as nation-state cyber attackers."

Epstein added, “A billion dollars is a powerful motivator for sophisticated, extensively planned crime of any kind; cyber-crime seems no different in that regard.”

Lou Manousos, CEO of RiskIQ, spoke to SC, saying, “It's not a surprise that we're starting to see non-state actors using some of the same methods more commonly associated with nation states. Like state actors, cyber-criminals are interested in operating more stealthily and therefore avoiding detection and prolonging the longevity of their attack infrastructure.”

Aaron Shelmire, senior threat researcher at Anomali, had slightly different ideas. “APT is an overloaded term that has come a far way from its original definitions," he said. “In the heat of battle it's more important for defenders to focus on what an actor is doing and has done, as opposed to whether an actor is a state sponsored entity. Computer intrusions truly democratise malicious capabilities and discounting an actor based upon perceived levels of sophistication can be extremely dangerous.”

He added, “There hasn't been as much news of non-state targeted intrusions largely because analysts have been so focused on specific APT groups. As analysts focus on other activity they are finding that more of it has fallen under the umbrella of targeted hands-on-keyboard activity.” 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews