Cobalt Gang Makes ATMs Across Europe Spew Cash

A cyber-crime gang has tricked automatic teller machines in at least a dozen European countries, including the UK, into spewing out cash this year.

Findings by Russia-based computer security firm Group IB indicated that the heists were performed using remote, centralised methods that don’t require physical access to the machines.

European, Asian countries targeted

The same technique was used to remove cash from ATMs in Taiwan and Thailand in crimes reported over the summer.

Countries in which such thefts have been carried out include Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain and Malaysia, as well as the UK, Group IB said.

It called the relatively new technique “touchless jackpotting”, since it causes ATMs to spew cash in a way recalling a jackpot at a casino slot machine. The firm didn’t name the banks affected.

The attacks show that criminals are turning from the theft of payment card and online banking credentials to hacking directly into ATMs through banks’ internal networks, allowing large amounts of cash to be accessed at once.

The tools used are easily available on hacking sites, and attacks can be carried out in as little as 10 minutes, the company said.

Cobalt Strike

“This type of attack does not require development of expensive advanced software,” it stated.

In its report released late on Monday Group IB said it suspects a single criminal gang to be responsible for the ATM attacks across Europe.

It named the gang Cobalt after the threat emulation tool Cobalt Strike, which it made use of in its attacks.

The group first infected individual computers used by bank employees via infected emails, then moved across banks’ internal networks to take control of the specialised servers that control ATMs.

Group IB believes Cobalt is linked to another gang called Buhtrap, known for its theft of 1.8 billion rubles (£23m) from Russian banks between August 2015 and January 2016 using false wire transfers, because the two groups employ similar tools and techniques.

The February attack on Bangladesh’s central bank that stole more than $81 million (£65m) was carried out using a fraudulent SWIFT transfer.

Remote attacks

In July $2.5 million was stolen from Taiwan’s First Bank and $350,000 from Thailand’s Government Savings Bank using remote ATM attacks. Police said “money mules” travelled to the countries from Eastern Europe to receive the cash.

The US’ Federal Bureau of Investigation sent a private alert earlier this month to US banks, warning that they should expect attacks similar to the Asian assaults, The Wall Street Journal reported on Monday.

The FBI declined to comment on the matter.

Diebold Nixdorf and NCR, two of the largest manufacturers of ATMs, said they were aware of the incidents and had provided banks with information on how to prevent such attacks.

The British government this year formed a National Cyber Security Centre (NCSC) under the auspices of GCHQ to help protect the UK’s critical infrastructure from Internet-based attacks.

A May incident in which a gang of more than 100 members stole about £9m in cash from more than 1,400 Japanese ATMs, is more typical of older techniques, as it involved forged credit cards using details stolen from a bank in South Africa.

Do you know all about security in 2016? Try our quiz!