The Billion Dollar
Carbanak Bank Heist

The Billion Dollar Carbanak Bank Heist
By Dave Hartley

The UK security industry has been prepared for this ‘leveling-up’ of the cyber criminal fraternities and the increased cyber threat. Measures are already in place to deal with the problem, and have been for some time.
UK financial institutions submit themselves to simulated targeted attacks designed specifically to emulate the activities of real world hackers in order that they can better defend their systems when the attack comes for real. This is performed as part of the CBEST/CSTAR schemes. The financial sector in the UK benefits from a scheme that is specifically designed to help financial organizations, but is also available to all commercial sectors of trade and commerce, to combat advanced threat actors and increase their cyber resilience to such targeted attacks.

CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The public can have every confidence in the financial institutions engaged in the scheme to be doing everything they can to protect themselves and the public’s finances.

Security is a cost of doing business, and this has been the case for a long time, and will continue to be so. An increased spend in such economically unstable times for many is unlikely, what is much more likely and a more sensible, frugal and smarter spend is a cyber security program that combines human intelligence with technology solutions.

It comes as no surprise to us that the initial foothold that was obtained by the attackers was via a phishing attack; this technique continues to be a winning strategy over and over again. MWR’s Phish’d service is a testament to this reality. When we run controlled phishing assessments against our clients for the first time, we often see a 60% success rate. This falls dramatically in subsequent engagements. What may come as a surprise to some is how long the attackers maintained their access for, unnoticed. If the initial compromise has been missed, there is a small window of opportunity for the defensive team within the compromised organization to react, if they are looking for the right indicators of compromise (IOC).

It is very likely that the compromised finance firms relied on numerous SIEM solutions to defend their environments. The breaches however illustrate that reliance on technology alone is not going to get the job done. A motivated and creative human attacker will almost always beat off-the-shelf compliance driven defences.

The funds transfer systems employed by financial organizations have many moving parts. Contrary to popular belief, it’s not that easy to siphon out cash, not at the push of a single button at least. There are a number of digital and physical stacked safeguards, countermeasures and processes in place. This is why the attackers observed the bank’s employees for so long. MWR’s methodology when contracted to conduct simulated exercises of this nature, is very similar to that employed by the attackers. It takes a long time to fully understand the inner workings of a financial institution and their procedural and digital nuances. For example a transfer of £100,000 to a fraudulent account may go unnoticed in an institution that is used to transferring in excess of £100,000 per transfer, however in another organization, that amount wouldn’t be authorized and would actually set the alarm bells ringing. These rules are personal to each financier.

The tradecraft employed differs from attacker to attacker, however in principle most apply a similar approach. Once an initial foothold is obtained, the threat actor will perform internal reconnaissance looking to identify opportunities for lateral and vertical movement within the network. They’ll also begin to locate key systems and escalate their privileges. Once this activity is complete, they will often go very quiet, and wait and watch. A SIEM run by a competent team of security professionals, who are threat intelligence driven and who understand the threats to the business, can defend the network. An augmented intelligence driven approach is key.

Dave Hartley is a Managing Security Consultant for MWR InfoSecurity operating as a CHECK and CREST Certified Consultant (CTL/CCT/CSAM/CSAS). MWR InfoSecurity supply services which support their clients in identifying, managing and mitigating their cyber security risks. Dave has been working in the IT Industry since 1998. His experience includes a range of security fields and disciplines. Dave is also a published author (SQL Injection Attacks and Defenses 1st & 2nd editions), Metasploit framework contributor and has presented research at several international respected security conferences such as 44CON, BSides, CRESTCon, Sec-T, ZACon, DeepSec, T2 etc.