Photo: Oleg Gritsaenko for RBC
Before Christmas, banks and ATMs vulnerable to fraudsters ‘ attacks, found RBC. The Central Bank has warned banks about the possibility of attacks on ATMs without physical impact — through letters from the banks and authorities
Major Russian banks may be subject to a massive cyber attack before the New year, told RBC specialists Group-IB and “Kaspersky Lab”. Before the holidays the ATM filled with money, and Bank employees are paying less attention to security, experts say. Among the possible organizers of attacks on ATMs at Group-IB, which specializiruetsya on the prevention and investigation of cybercrime, call Cobalt international group with Russian roots.
Russian banks are notified by the regulator about a new type of fraud, said RBC representative of the Bank of Russia.
The criminal group Cobalt for the attack to begin in June 2016, said the investigation of Group-IB (available RBC). Criminals Rob ATMs with no physical impact, penetrating into the local network of the Bank and getting the full control over the devices, said the investigation of Group-IB. On remote command the machine begins to give out cash, and prepared people just collect money bags, to the document Group-IB.
This year they were already attacked banks in Russia, Britain, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia and Malaysia.
To penetrate the internal network of the Bank, Cobalt point sends to the banks by e-mail messages with malicious attachments. “Phishing emails are sent on behalf of the European Central Bank, the ATM manufacturer Wincor Nixdorf or on behalf of the regional banks,” said Group-IB. But in fact the emails come from two servers with the program that has changed the address of the sender, while the ECB, a manufacturer of ATMs and regional banks is irrelevant to this ezine have not.
Both servers, which were sent letters, according to Group-IB, are located in Russia. In particular, to spread malicious programs on banks in Russian speaking segment of criminals used attachments with the names “Договор_хранения2016.zip and List документов.doc” says the investigation.
After the Bank employee runs the file from the fake e-mails, the attachment is loaded into the RAM of the computer. “This means that after a reboot of the operating system the attacker has lost control of the computer” — says Group-IB. In order to “survive”, the application is automatically registered in startup. Then with the help of a variety of ways criminals have gained access to passwords of system administrators of the Bank. It could take them ten minutes to a week, says the investigation. After the attacker has secured remote access to the local network and the Bank’s privileges, allowing them to do whatever is necessary for the future theft of money from ATMs. They needed only to “gain a foothold” and to establish redundant paths of access if suspicious activity is spotted by the security services of the Bank.
After the criminals had gained control of the local network Bank, they began to search for segments that you can reach the management of ATMs. Getting access to him, the group was uploaded to the device program that allows customers to manage cash, says the investigation.
One ATM in a few minutes
Having access to the management of ATMs, the criminals come to devices over cash in different parts of the city with only a mobile phone. “He reported it to his partners and prepared the bag. In a few minutes the machine was started portions to give money. After the money was over, people were re-contacted partners and went”, — says Group-IB. Devastated after the machine was rebooted. According to Group-IB, the removal of money was involved in a small group that moved to a predetermined ATM and withdraw money within a few hours.
The company expects that Cobalt may again become active in Russia in the near future. The group began mailing numerous phishing emails with malicious attachment in Russian banks a month ago, says the Manager of the international business development Group-IB Viktor Ivanovsky. “I think they’re preparing for the robbery of ATMs for the New year is the perfect time to steal, because the ATMs for the holidays filled with money to the maximum. Therefore, we believe that Russian banks need to increase the level of vigilance and to prepare for possible attacks,” says Ivanovskiy.
The attack on the network
The expert believes that under threat of attack in the first place are large banks with extensive ATM network, from one hundred to one thousand. In the first place attackers will choose banks with weaknesses in technical security, says Ivanovskiy.
Since the Cobalt allows you to empty the entire magazine of the ATM in a matter of minutes, the losses of the banks when you attack a group can be very high, says Ivanovskiy. In Europe, he said, with only one ATM at the working load level, the group was able to obtain a minimum of €100 thousand, “But attack one of the ATM operation, as a rule, is not limited,” he warns.
Ivanovo predicts that in the future many thieves will focus exactly on the format of the thefts, like the Cobalt, trying to minimize the impact on the ATMs and getting into the local banking network. “The future is robbery 30-100 ATM at the same time, not one,” he says.
Therefore, employees of banks upon the slightest suspicion of malicious email due to address in security service of the Bank, despite the seemingly familiar sender’s domain, continues Ivanovo. “Investments of these letters to open in any case impossible. The danger may be even a text file in rich text format,” he says. According to Ivanovsky, seriously reduce the possibility of infection will help just timely updating of operating system and browser.
The first cases of attacks on banks using set programs Cobalt Strike was recorded in 2014, says a leading anti-virus expert “Kaspersky Lab” Sergey Golovanov. Since then, the activity of their use is only growing: the program appeared in open access on the Internet and cost $3.5 thousand, he continues. According to Golovanov, the damage from such attacks with respect to Russian banks could reach hundreds of millions of rubles and is limited only by the number who takes the money from ATMs. He agrees that the attack on the Russian ATM can be taken before the New year. “In General, we can say that new year’s eve period, when aktiviziruyutsya attackers as employees of the Bank, as everything in Russia, are preparing for long weekends and pay less attention to security,” — said Golovanov.
The threat to Russian banks, specifically from the activities of Cobalt, the expert regards as “average”. In his opinion, the Russian banks in comparison with many other quite well-protected from attacks. However, Golovanov said that in each case all depends on the willingness of each specific Bank of the system for its information security budget on IT staff training.
The banking and financial sector was the main target for cybercriminals in the last few years. According to the report, specializing in the field of information security Infosecurity publications financial organizations are exposed to cyber attacks three times more often compared to companies in other industries. To counter the growth of cybercrime, leading international banks increase the costs of providing security in this area. It is expected that by the end of 2016, the total amount of spending on cybersecurity in the global banking sector will total $8.3 billion.
The amount is growing from year to year. For example, in 2014, the largest American Bank JP Morgan Chase spent on cybersecurity to $250 million a Year later, a similar article to this financial institution totaled $500 million (estimated by The Wall Street Journal).
As for Russian banks, according to the head of cyber security of the savings Bank Sergey Lebed, in 2016, the organization has spent about 1.5 billion rubles, the Amount is comparable to the spending on cybersecurity in 2015, but more than twice spent in this area money for 2014.
The Central Bank has notified the Russian banks
Pre-new year activity of cyber criminals waiting in the Bank of Russia. “There is a possibility of strengthening different types of attacks (including newsletters, publications negative and provocative in social networks, DDOS attacks, distribution of malicious software, and so on) to techenit December 2016”, — told RBC representative of the Central Bank. According to him, the Center of monitoring and responding to computer attacks in the financial sphere (Finart) regularly inform all participants of information exchange on malicious mailings, including on behalf of banks or authorities. Fincert is a structural unit of the main Directorate of security and information protection of the Bank of Russia.
Banks say they are ready for possible new year attacks on ATMs, including by the method of Cobalt. “Knowing the existence of such vulnerabilities, VTB24 has already taken the necessary steps to protect their devices,” said RBC Bank representative. Thus, according to him, the attacks on the ATMs of VTB and VTB24 without physical impact is not yet fixed.
In a press-service “FC Opening” RBC said that the Bank was aware of the activities of Cobalt, but almost all emails with infected attachments that come employees, are cut off at the level of mail filtering.
In practice, the PSB was attempted attacks by the method of Cobalt, said Director of card technologies Bank Alexander Petrov. “But as a result of security tools at various levels of the infrastructure Bank, they were prevented”, he added.
Sberbank declined to comment. Representatives of eight major banks did not respond to a request RBC.