Organized Russian and Ukrainian fraudsters are now targeting Canadian financial institutions with malware that was previously reported to be attacking only Russian banks, according to a new report by the cyber-security firm Kaspersky Lab.
The Kaspersky report provides new details about a malicious software package it dubbed Carbanak, saying it is now affecting financial institutions in 30 countries and it could generate cumulative losses of up to $1-billion (U.S.).
The malware was first publicly identified last December in a joint report by the Russian firm Group-IB and the Dutch firm Fox-IT, which named the malware Anunak and provided a more conservative figure of $17-million stolen, mostly in the past six months.
Unlike previous fraud schemes, which targeted bank clients, Carbanak-Anunak directly attacks the internal computer systems of the institutions.
After spying on bank employees, even activating video recordings of their activities, the malware is able to trigger fraudulent transactions, siphoning off money through illicit transfers or ordering bank machines to dispense money at predetermined times to an accomplice.
One bank lost $7.3-million solely from the bank-machine fraud, Kaspersky said.
The malware uses a number of command-and-control servers running on Linux operating systems. Those Linux servers are used to send infected e-mails, collect spying data and keep logs of victims.
Three of those Linux servers held up to nine Canadian targeted IP addresses, the Kaspersky report said.
The report did not say how many Canadian banks were connected to those nine IP numbers. It said up to 100 financial institutions were hit at more than 300 IP addresses in 30 countries.
It also noted that two samples of the malware were uploaded from Canada to VirusTotal, a website that checks for computer infections.
Contacted by The Globe and Mail, Kaspersky officials declined to provide more specific details about Canadian targets "because of ongoing investigations."
The firm says it is working jointly with law-enforcement agencies, but it would not say whether Canadian police forces are involved.
The Canadian Bankers Association was also tight-lipped. "We have no information about which banks have been impacted by the reported hackers," CBA spokeswoman Kate Payne said in an e-mail.
She said Canadian banks actively monitor their networks and maintain them against threats, but she said the association has no information about when individual banks became aware of the malware.
The Group-IB-Fox-It report said the malware is run by a criminal syndicate made up mainly of Russian and Ukrainian nationals, with a number of associates from other countries, including Belarus.
The group has its origin in a gang that had been using financial malware called Carberp to defraud consumer and corporate bank accounts in Europe and Russia.
After Russian security arrested eight Carberp members in 2012, the remaining scammers refocused on penetrating the internal networks of banks rather than the clients' accounts.
"One of the members quickly realized that they can steal $2,000 a thousand times and earn $2-million, but also they can steal it in one time and immediately get it with much less effort," the Group-IB-Fox-It report said.
The main infection method by the gang relied on targeted spear phishing, sending a bogus e-mail with malicious attachments to a bank employee from what appeared to be a real institution, central bank or client.
"The average time from the moment of penetration into the financial institutions' internal network till successful theft is 42 days," the Group-IB-Fox-It report said.
While it said part of the money was transferred to Ukraine and Belarus, Kaspersky found that stolen funds were transferred to bank accounts in the United States and China.
"We believe that the Carbanak campaign is a clear indicator of a new era in cyber-crime in which criminals use APT [advanced, persistent threat] techniques directly against the financial industry instead of through its customers," Kaspersky concluded in its report.
In an update posted on its website, Group-IB said there had been a significant decrease in the hacking activity of the gang since December.
But no one has been arrested, Group-IB noted. " We have already seen such quiet periods. And while the people remain free, they will continue attacks. Their activity for the last two years proves that."