Skip to main content

Carbanak malware is now affecting financial institutions in 30 countries, Kasperky Lab says.

Thinkstock

Organized Russian and Ukrainian fraudsters are now targeting Canadian financial institutions with malware that was previously reported to be attacking only Russian banks, according to a new report by the cyber-security firm Kaspersky Lab.

The Kaspersky report provides new details about a malicious software package it dubbed Carbanak, saying it is now affecting financial institutions in 30 countries and it could generate cumulative losses of up to $1-billion (U.S.).

The malware was first publicly identified last December in a joint report by the Russian firm Group-IB and the Dutch firm Fox-IT, which named the malware Anunak and provided a more conservative figure of $17-million stolen, mostly in the past six months.

Story continues below advertisement

Unlike previous fraud schemes, which targeted bank clients, Carbanak-Anunak directly attacks the internal computer systems of the institutions.

After spying on bank employees, even activating video recordings of their activities, the malware is able to trigger fraudulent transactions, siphoning off money through illicit transfers or ordering bank machines to dispense money at predetermined times to an accomplice.

One bank lost $7.3-million solely from the bank-machine fraud, Kaspersky said.

The malware uses a number of command-and-control servers running on Linux operating systems. Those Linux servers are used to send infected e-mails, collect spying data and keep logs of victims.

Three of those Linux servers held up to nine Canadian targeted IP addresses, the Kaspersky report said.

The report did not say how many Canadian banks were connected to those nine IP numbers. It said up to 100 financial institutions were hit at more than 300 IP addresses in 30 countries.

It also noted that two samples of the malware were uploaded from Canada to VirusTotal, a website that checks for computer infections.

Story continues below advertisement

Contacted by The Globe and Mail, Kaspersky officials declined to provide more specific details about Canadian targets "because of ongoing investigations."

The firm says it is working jointly with law-enforcement agencies, but it would not say whether Canadian police forces are involved.

The Canadian Bankers Association was also tight-lipped. "We have no information about which banks have been impacted by the reported hackers," CBA spokeswoman Kate Payne said in an e-mail.

She said Canadian banks actively monitor their networks and maintain them against threats, but she said the association has no information about when individual banks became aware of the malware.

The Group-IB-Fox-It report said the malware is run by a criminal syndicate made up mainly of Russian and Ukrainian nationals, with a number of associates from other countries, including Belarus.

The group has its origin in a gang that had been using financial malware called Carberp to defraud consumer and corporate bank accounts in Europe and Russia.

Story continues below advertisement

After Russian security arrested eight Carberp members in 2012, the remaining scammers refocused on penetrating the internal networks of banks rather than the clients' accounts.

"One of the members quickly realized that they can steal $2,000 a thousand times and earn $2-million, but also they can steal it in one time and immediately get it with much less effort," the Group-IB-Fox-It report said.

The main infection method by the gang relied on targeted spear phishing, sending a bogus e-mail with malicious attachments to a bank employee from what appeared to be a real institution, central bank or client.

"The average time from the moment of penetration into the financial institutions' internal network till successful theft is 42 days," the Group-IB-Fox-It report said.

While it said part of the money was transferred to Ukraine and Belarus, Kaspersky found that stolen funds were transferred to bank accounts in the United States and China.

"We believe that the Carbanak campaign is a clear indicator of a new era in cyber-crime in which criminals use APT [advanced, persistent threat] techniques directly against the financial industry instead of through its customers," Kaspersky concluded in its report.

Story continues below advertisement

In an update posted on its website, Group-IB said there had been a significant decrease in the hacking activity of the gang since December.

But no one has been arrested, Group-IB noted. " We have already seen such quiet periods. And while the people remain free, they will continue attacks. Their activity for the last two years proves that."

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter