In the digital age, the specter of cybercrime looms large, casting a shadow over financial institutions worldwide. Among the most audacious and sophisticated cyber heists in history is the case of Carbonak, a criminal cyber gang that pilfered an estimated one billion dollars from over 100 financial institutions across the globe over a span of two years. Dubbed "the great bank robbery of the modern era," Carbonak's ultimate objective was to amass as much wealth as possible, a goal they largely achieved. This article delves into the intricate details of the Carbonak attack, exploring its various phases, the techniques employed by the hackers, and the collaborative effort to bring them to justice.
The Initial Breach
The Carbonak saga began in 2014 when a Kaspersky Labs employee received a call from a highly stressed bank employee from one of Russia's largest banks. The bank employee, fearing his communications were compromised, insisted on a personal meeting. It was revealed that the bank's domain controller was surreptitiously transmitting sensitive data to unknown servers in China. The domain controller, the linchpin of any business network, grants complete control over the entire system upon access. This control extends to accessing customer data, manipulating funds in accounts, and even executing fraudulent transactions via the SWIFT banking system.
Upon discovering the breach, Kaspersky employees initiated a thorough investigation, scrutinizing every network phone and computer connected to the internal banking network. Initially, their efforts yielded no suspicious findings. However, the presence of the screen-sharing software VNC on some computers raised suspicion, as the bank denied ever installing it.
An expert at Kaspersky hypothesized that the bank employees were being spied on. To test this theory, he opened a blank Word document on one of the computers and typed "hello". After a period of waiting, the computer began typing on its own, responding with the chilling message: "hello you won't catch us".
Spear Phishing Attack
Determined to unmask the hackers, the experts traced their entry point into the bank's system. They discovered that a bank employee had received a deceptive email disguised as a legitimate customer communication. This email contained a malicious Word document, infected with malware. Opening the document triggered the malware, installing a VNC backdoor on the computer. This method of attack is known as spear phishing, where hackers impersonate credible entities to deceive their targets. These emails often contain infected files, such as Word, Excel, or PowerPoint documents, and even images or videos.
Gaining Administrative Control
With a foothold established, the hackers remotely monitored and controlled the infected machine. They then used this compromised PC to spread the infection to other machines on the network and locate the administrator's computer. To compromise the admin account, they employed a clever tactic. They deliberately slowed down the admin computer by running numerous background programs, hoping that a bank employee would contact IT support for assistance.
When IT support arrived, they entered the admin passwords to troubleshoot the issues, unwittingly compromising the bank's security. A keylogger, installed by the hackers, recorded every keystroke, capturing the admin passwords. This gave the hackers access to the admin account, allowing them to infect the remaining network of the bank.
The Robbery
Having infiltrated the bank's network, the hackers entered the third phase of their operation: the actual robbery. For months, they meticulously observed the bank employees, studying their operations and protocols. They essentially became shadow employees, silently recording every aspect of the bank's activities.
With a thorough understanding of the bank's procedures, the hackers began their illicit activities. They employed several methods to siphon funds from the bank:
•Impersonating high-ranking banking employees and manually transferring large sums of money to their accounts via the SWIFT system.
•Utilizing the bank's e-payment system to transfer funds to their accounts, which were then routed to other accounts, primarily in China and the US. These accounts were subsequently emptied by money mules.
•Remotely controlling ATMs to dispense cash at predetermined locations. These ATMs were often situated in remote areas, and the money was collected by money mules.
•Inflating accounts with small balances and pocketing the difference. However, this method led to their first mistake when they inadvertently inflated the account of an elderly Russian man, triggering suspicion.
The Investigation
Despite knowing the hackers' methods, the experts were unable to trace the stolen funds, totaling 9 million US dollars. The case was eventually put on hold. However, the investigation gained new momentum when Eugene Kaspersky, CEO of Kaspersky Labs, shared his experience with the Carbonak hackers at a cybersecurity conference in Singapore. It became apparent that this was not an isolated incident, as Europol had also registered similar attacks on European banks.
Europol and Kaspersky Labs joined forces with the affected banks, cybersecurity specialists, and intelligence agencies to form the Joint Cybercrime Action Task Force (JCAT). They pooled their resources to hunt down the Carbonak group.
Tracking the Hackers
The breakthrough came when a Kaspersky Labs employee discovered a minor error in the Carbonak code. This flaw allowed the experts to send a specific request to the Carbonak command and control server and receive a unique response. However, the challenge was to identify the correct server among the countless servers connected to the internet.
The Kaspersky team initiated a massive internet scan, sending the request to every server in the hope of receiving the desired response. After two days, their persistence paid off when the Carbonak command and control server responded. The server was located in the Netherlands, a country with a robust IT infrastructure.
The Dutch police seized the server and allowed the experts to analyze it. The analysis revealed the true scope of the Carbonak attacks, which targeted financial institutions in almost every country in the world. The group had infiltrated hundreds of financial institutions and stolen over 700 million US dollars.
The Manhunt
With the масштаба of the operation revealed, the investigation intensified. The JCAT task force collaborated with numerous intelligence agencies, including the FBI, CIA, and law enforcement agencies from Russia, Romania, and Moldova. As the investigators closed in, the Carbonak group disappeared for a few months.
The Taiwan Incident
In 2016, the Carbonak group resurfaced, only to make a critical mistake. In Taiwan, two inexperienced money mules, while retrieving money from hacked ATMs, were startled by an approaching local resident and fled, leaving behind a stack of 60,000 NT dollars. The resident alerted the police, who reviewed the CCTV footage and identified the suspicious activity.
The First Bank reported that over 70 million NT dollars had been illegally withdrawn from 34 ATMs across Taipei and Tai Zhong. The Taiwanese police mobilized over 500 officers to analyze the CCTV footage, which led to the identification of 22 suspects, mostly from Russia and Eastern Europe.
Although 19 of the suspects managed to escape Taiwan, three remained. One of them, Andreas Pergodovs, the alleged leader of the operation, attempted to hide his share of the stolen money before fleeing to another province. The other two suspects stored their portion of the money in luggage lockers at the Taipei train station. However, the police were tracking their movements through the extensive CCTV network. The police arrested the two men at their hotel and also captured Andreas Paragudovs.
The Spanish Connection
In 2018, Spanish authorities, with the help of Interpol, investigated a criminal organization laundering money in Spain. They discovered that one of the organization's clients was a Ukrainian computer specialist named Dennis K. Further investigation revealed his ties to the Russian and Moldovan mafia, for whom he had coordinated several cyber attacks since 2013. Dennis K paid the mafia 40 percent of his profits in exchange for money mules.
Dennis K and three other members of the group were arrested in Alicante, Spain, in 2018. A search of their property uncovered a wealth of assets, including jewelry, BMWs, and 15,000 bitcoins, worth approximately 150 million US dollars at the time.
Conclusion
Despite the arrests, the remaining billion US dollars was never recovered. While Dennis K was believed to be a leader, Kaspersky Labs suspects that more individuals were involved. The Carbonak group remains active, operating under various names, continuing to steal millions of dollars each year. The Carbonak case serves as a stark reminder of the evolving threat of cybercrime and the importance of international collaboration in combating these sophisticated attacks.
• Carbonak stole an estimated one billion dollars from over 100 financial institutions.
• Spear phishing was used to deliver malware and gain access to the bank's network.
• Keyloggers captured admin passwords, allowing hackers to infect the entire network.
• Money mules were used to withdraw and transport the stolen funds.
• International collaboration was crucial in tracking down the hackers.
Responses (0 )