Kapersky explains how hackers infiltrated internal banking systems.

A gang of cyber thieves known as the Carbanak Ring held a virtual bank heist spanning 2 years including over 100 banks in 30 countries making off with hundreds of millions of dollars.

The gang sent spear-phishing emails to employees containing infected attachments which when opened would infect the users workstation. The gang responsible for this has been dubbed the “Carbanak cybergang” because of the name of the malware they used.

According to Dutch security firm Fox-IT, Carbanak is the same group that was uncovered by Group-IB and Fox-IT in a Dec. 2014 report which named the attackers as the “Anunak hackers group” who stole substantial amounts of data from Sheplers, Staples and Bebe.

The criminals once in the internal networks were able to use different employees access to steal money in a variety of ways. In some cases, ATMs were instructed to dispense cash at certain times without having to enter any commands locally on the machines. Henchmen would collect the money and transfer amounts over the SWIFT network to the criminals’ accounts, Kaspersky said. The Carbanak group spent time understanding the banking systems infrastructure which gave them the knowledge of how to alter databases and pump up balances on existing accounts allowing them to take the difference whilst the account owner is unaware and their original balance is still intact.

The majority of their targets were primarily in Russia, followed by the United States, Germany, China and Ukraine, according to Kaspersky Lab. One bank lost $7.3 million when its ATMs were programmed to release cash at certain times which their money mules would then collect. Another firm had $10 million taken via its online platform.

Chris Doggett, of Kaspersky North America, said that heist “is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.”

Kaspersky Lab reports that when working with Interpol and Europol, it discovered that the gang, dubbed Carbanak, used malware enabling it to see and record everything that happened on staff’s screens. These and other recent high profile cyber-attacks, such as the JPMorgan Chase hacking case which saw 76 million customer accounts hacked are forcing organizations especially banks to take cyber security much more seriously.

Stu Sjouwerman, CEO of KnowBe4 argues that such an attack can be deterred on a basic level:

“While this cyberheist is considered very sophisticated, spear-phishing is one of the most preventable and affordable,” he said. “You would expect the finance industry to set the bar very high and have employees trained within an inch of their lives not to fall for such an attack. We would highly encourage financial institutions to take a look at their training methods and beef them up accordingly.”

“Security Awareness Training is really needed for every employee in any organization, not just banks,” Sjouwerman added. “It allows you to put in place a more effective human firewall and protect your corporate and financial assets.”

Often, a hacker can be inside an organization’s IT system for months or years before the user or administrator is aware. Quite often, the user only realizes once it is too late.