Posted on October 11, 2017 at 12:30 PM

Unidentified Hackers Steal $40m From ATMs

An unknown hacking group launched a hacking campaign which targeted banks in Eastern Europe and Russia.

Earlier this year, an unknown hacking group stole an estimated $40m in a sophisticated hacking campaign that targeted several banks located in Eastern Europe and Russia. What made this hacking campaign particularly complex is the implementing of both cyber intrusion as well as physical involvement.

The attackers withdrew large sums of money from targeted ATMs. The hackers targeted ATMs that were not located in the specific bank’s country of origin. This allowed the hackers to steal millions, without the bank even being aware of the breach.

The theft was investigated by security experts at Trustware. According to investigations, cybercriminals used cash mules to physically go to the targeted bank, open an account, and get a new debit card linked to the new account.

The new debit cards were then distributed to other countries where the bank in question still had ATMs. Once the cards were distributed, hackers breached the bank’s network, accessed the internal system, and manipulated the debit card to such an extent, that the debit card was allowed a high overdraft level. Hackers were also able to remove all anti-fraud controls on the accounts in question.

After the debit cards were manipulated, they were used to withdraw large amounts of cash from several ATMs in various locations across Eastern Europe and Russia.

According to Trustware security experts, Thanassis Diogos and Sachin Deodhar, cash withdrawals started the moment debit cards were sufficiently manipulated. It is estimated that the hackers stole around $10m from each targeted bank.

Law enforcement authorities did manage to view certain mules who met up with other suspects involved in the crime, via security camera footage. According to researchers, these meetings were likely held for mules to deliver the cash, and obtain their fee.

The hackers manipulated all targeted banks’ admin accounts to such an extent that it allowed the hackers full access to the banks’ entire infrastructure. In addition, hackers installed a legitimate monitoring software, Mipko, which could capture screens, keystrokes and various other activities.

Trustware security experts stated that they believe that the responsible hackers had previously managed to obtain deep knowledge regarding every targeted bank’s infrastructure and network. The experts stated that considering the precision of the attack, hackers must have had inside information prior to executing the attack.

In addition, the hackers also demonstrated a vast understanding of every bank’s processors environment, as well as the card management software. This knowledge is ostensibly why they were able to manipulate the debit card properties such as the overdraft limit and risk rating with such precision.

The hackers employed special malware to erase all their activities after the attack was executed, presumably to thwart forensic investigations. Trustwave researchers stated that the hackers’ “tradecraft” has suggested involvement with other cybercrime syndicates.

It is still unknown exactly how many banks were targeted, and even if all targeted banks are yet aware of the activity. It is also still unclear whether the stolen money can be recovered.

Trustwave security experts stated that this attack symbolizes a severe threat to financial institutions worldwide. Despite the fact that the attacks targeted Russian and Eastern European banks, experts believe that this type of attack could soon migrate to other countries.