Mastermind suspected of stealing £870m (€1bn) arrested for Carbanak, Cobalt banking malware campaigns
European police have potentially landed a hugely important victory in their fight against cyber criminal gangs targetting the banking industry.
It comes after the leader of the crime gang behind the Carbanak and Cobalt malware attacks that had targetted over a 100 financial institutions worldwide was arrested in Alicante, Spain.
Cyber attacks against financial institutions can be profitable – for a while at least. In December for example, Moscow-based computer security firm Group-IB identified a gang of cyber-thieves called MoneyTaker as stealing around $10 million (£7.5m) in a string of heists that targeted a number of banks.
But now Europol has said that it has arrested the mastermind of the criminal gang “after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.”
This gang has been operating since 2013, and they have attacked banks, e-payment systems and financial institutions using pieces of malware they designed (Carbanak and Cobalt).
They are thought to be responsible for the loss of over 1 billion euros (£870m) for the financial industry, as the Cobalt malware alone allowed criminals to steal up to 10 million euros (£8.7m) per heist.
When the gang first started in 2013, they used the Anunak malware campaign that targeted financial transfers and ATM networks of financial institutions around the world.
“By the following year, the same coders improved the Anunak malware into a more sophisticated version, known as Carbanak, which was used in until 2016,” Europol said. “From then onwards, the crime syndicate focused their efforts into developing an even more sophisticated wave of attacks by using tailor-made malware based on the Cobalt Strike penetration testing software.”
Essentially, all these attacks would follow a familiar pattern.
First the gang would send banking staff spear phishing emails with a malicious attachments impersonating legitimate companies. When these attachments were downloaded, the criminal gang gains remote control of the victims’ infected machines.
This gave them access to the internal banking network and allowed them to infect the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.
In late 2016 for example, a cyber-crime gang tricked automatic teller machines in at least a dozen European countries, including the UK, into spewing out cash.
The same technique was also used to remove cash from ATMs in Taiwan and Thailand.
“This global operation is a significant success for international police cooperation against a top level cybercriminal organisation,” said Steven Wilson, head of Europol’s European Cybercrime Centre (EC3).
“The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” said Wilson. “This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”
“This is the first time that the EBF has actively cooperated with Europol on a specific investigation,” said Wim Mijs, CEO of the European Banking Federation. “Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang.”
Whilst the arrest of this alleged criminal mastermind is a welcome development, the scary thing for most people is the worry that British banks are dramatically under-reporting computer attacks due to their fear of bad publicity.
Do you know all about security? Try our quiz!