If the losses claimed for the Carbanak online robbery are anything like the billion US dollars (£650 million) being cited, then despite the fact that it covers around 100 financial institutions, and took place over two years – and may still be ongoing, it would still rank as the largest known loss to a single cyber-crime gang. Even at the lower end of estimates, it's on the same scale as the largest recorded bank robbery (when guerrillas blasted their way into the vaults of the Beirut British Bank of the Middle East the in 1976, and took safe deposit boxes containing £22 million - the equivalent of £156 million today).
The sheer scale of losses, the long sustained period of attack, the multiple attack vectors including inside whitelisted software, amply demonstrates the sophistication of the adversary and their capabilities now being faced by CISOs around the world. And their success could well undermine confidence in both the defences deployed, and the institutions themselves.
Looking at the report figures – and the attribution of the attack – Bob Tarzey analyst and director at Quocirca Ltd told SCMagazineUK.com: “Whilst there is no reason to doubt Carabanak's existence, the figures for financial losses all seem to be estimates coming from Kaspersky. These range from £155 million to £650 million. If true, it would seem that that banks themselves have kept this quiet, presumably because it is not that much once spread across the affected organisations; although of course, the sums would be a lot to any gang.”
Questions arise due to a December 2014 report on Anunak, by Fox-IT in collaboration with Group-IB describing an APT-like criminal group with ties to the Carberp group. Ronald Prins, Fox-IT founder and CTO, says: “Anunak is the name the malware author gave to the main malware used in these attacks. Carbanak is the name the AV industry gave to this malware, which is a combination of the words “Anunak” and “Carberp”, as the Anunak malware has used code from Carberp.” At that time losses reported by Fox-IT put the average theft in Russia and CIS countries for this group at £1.3 million from more than 50 Russian banks, five payment systems, 16 retail companies, and a total at that time of around £11 million.
Prins explains differences between the two sets of loss figures, saying: “In our report we have only mentioned the direct losses we could verify at that time related to banks in Russia. With credit card track data thefts and the loss rates used by banks for counterfeit credit cards, one can make estimates of losses that would be higher, but it would remain an estimate. Our previous reported loss number excluded losses due to IP theft and damages due to downtime and cleanup too, which are both even harder to make estimates on. Hence the conservative loss number reported by us back in December. Additionally the reports on Carbanak show a different picture, where banks targeted outside of Russia, specifically Europe, USA and Japan are mentioned, which does not match our research.”
Despite Anunak not dealing with non-Russian banks, Gavin Millard, EMEA technical director of Tenable Network Security agrees that Carbanak malware is the same malware, but with a new name. He says: “The problem is, and always has been, that the level of control in information system design has been low because as the level of control goes up, system management and maintenance costs do too, and they begin to eat into the cost savings of the overall system. Good security costs money and until organisations recognise that and begin to take it seriously, we will continue to see large scale attacks like this one.”