The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting more than 100 financial institutions worldwide has been arrested in Alicante, Spain, after what Europol describes as a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.
Since 2013 Carbanak and Cobalt malware has been used by the gang to steal a total of €1 billion from banks, e-payment systems and financial institutions in more than 40 countries, with Cobalt malware alone responsible for thefts of up to EUR 10 million per heist.
In 2013 the gang launched the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world. A year later it had been improved, and as Carbanak, it was used in until 2016. Then an even more sophisticated wave of attacks was launched using tailor-made malware based on the Cobalt Strike penetration testing software.
In each of the attacks the criminals would spearphish bank employees with an email containing a malicious attachment impersonating legitimate companies. Once downloaded, the malware allowed the criminals to remotely control the victims' infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
As Craig Young, computer security researcher at Tripwire noted in an email to SC Media UK: "The attackers used their malware to embed themselves into financial institutions where they would study processes and mannerisms for months before making a move to steal money. This allowed the attackers to simulate legitimate behaviour so that they could siphon millions of dollars from a single institution without immediately raising alarms.”
The money was cashed out in various ways:
- ATMs were instructed remotely to dispense cash at a pre-determined time, with the money being collected by organised crime groups supporting the main crime syndicate: when the payment was due, one of the gang members was waiting beside the machine to collect the money being ‘voluntarily' spit out by the ATM;
- The e-payment network was used to transfer money out of the organisation and into criminal accounts;
- Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money.
The criminal profits were also laundered via cryptocurrencies using prepaid cards linked to the cryptocurrency wallets which were used to buy goods such as luxury cars and houses.
For Mark James, security specialist at ESET, it was the methods of theft coming into the real world that likely caused the capture, as he told SC Media UK:“Without specifics it's hard to say how the actual investigations work, but often in these cases it could be that the individual concerned either made an error or was lured into a scenario that enabled law enforcement to track his or her whereabouts.
"Internet anonymity is not as easy as it's made out to be, it's virtually impossible to be completely transparent in the digital universe especially if you are getting the attention of organisations worldwide. You also need help, many of the techniques shown here require others to physically be at the locations. With the widespread use visual tracking around these days it's extremely difficult to move without being filmed somewhere especially in public places."
International police cooperation coordinated by Europol and the Joint Cybercrime Action Taskforce is reported to have been central in bringing the perpetrators to justice, with the mastermind, coders, mule networks, money launderers and victims all located in different geographical locations around the world.
Europol's European Cybercrime Centre (EC3) facilitated the exchange of information, hosted operational meetings, provided digital forensic and malware analysis support and deployed experts on-the-spot in Spain during the action day.
The close private-public partnership with the European Banking Federation (EBF), the banking industry as a whole and the private security companies was also paramount in the success of this complex investigation according to a Europol statement.
Wim Mijs, chief executive officer of the European Banking Federation, said: "This is the first time that the EBF has actively cooperated with Europol on a specific investigation. It clearly goes beyond raising awareness on cyber-security and demonstrates the value of our partnership with the cyber-crime specialists at Europol. Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang."
Steven Wilson, head of Europol's European Cybercrime Centre (EC3), said: "This global operation is a significant success for international police cooperation against a top level cyber-criminal organisation. The arrest of the key figure in this crime group illustrates that cyber-criminals can no longer hide behind perceived international anonymity. This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cyber-criminality."
In an email to SC Media UK, Oz Alashe, CEO, CybSafe commented: “Today's arrests by Europol are a significant triumph for law enforcement in the ongoing battle against international cyber-criminals. However, financial services organisations should pay special attention to the method used by the attackers to gain access to the banks' IT systems. The criminals sent key staff phishing emails containing the malware that enabled them to penetrate their IT systems. This demonstrates that the most stringent cyber-processes, coupled with the latest technology can be undermined by the human component of cyber-security.
"An organisation's people should be the first line of defence in the fight against cyber-crime. Ensuring that staff are able to recognise and flag a potential phishing email is as valuable as having the latest technology and processes in place in the financial services sector. This focus on the human aspect of cyber-security will only increase in importance for business, technology and security leaders in organisations as cyber-criminals search for vulnerabilities across an organisation's information security ecosystem.”