The Malicious actors studied their targets and crafted a convincing spear phishing email that convinced users at the financial institution to open the attachments. Once opened, the workstations were infected with malware that loaded a backdoor, which gave the attackers access to the victims workstations. This backdoor that was installed was based on the Carberp malicious code. Carberp is a Trojan horse that gathers information and opens backdoors on compromised computers. It was initially released in 2010 and has since gone though many revisions. The group used vulnerabilities in Microsoft Office products to deliver the malware into the financial networks through vulnerable workstations. It has been reported that these vulnerabilities were patched by Microsoft prior to the attacks, but the institutions were behind in their patching process.
Once the initial compromise was completed, they proceeded to infect multiple more machines to probe and map out the network. Once they found workstations or servers that have access to the critical systems they are looking for, they proceeded to access those systems to transfer money from multiple accounts to accounts that the malicious actors established through the process. Once the money is in the assigned accounts, they then enlist the services of “money mules” – people who actually walk up to the ATMs and withdraw money for a fee. It took several months of daily withdrawals to drain the accounts in which the stolen money was placed. Kaspersky Lab has put together a great diagram showing the process of the attack and money distribution:
It has been determined that the group responsible compromised workstations at over 100 financial institutions in over 30 different countries worldwide. It has been estimated that the total amount of money stolen is between 300 million and 1 billion USD. It has also been reported that this group was also responsible for credit and debit card breaches across the United States including Bebe Stores and Staples. What makes this particular attack sophisticated was that the groups studied its victims. They learned the internal processes and procedures on how money is moved throughout the financial systems. They were able to fraudulently follow the financial institutions own process and procedures to mask their transfers and run the scam in a manner as to not draw any attention. The attackers were very familiar with the software and services that the institutions utilized.
One of the conclusions from the Kaspersky report was “Despite increased awareness of cybercrime within the financial services sector, it appears that spear phishing attacks and old exploits (for which patches have been disseminated) remain effective against larger companies.” This should teach us lessons about making sure we have a consistent path management process that is tried and true. We also need to make sure that if patches are not available, that we have detection for the vulnerability somewhere in your security and an in depth strategy in place to prevent this. To read more details about the attack, here is a link to the Kaspersky Report.