The Blog

A Month in the Life of the Fight Against Cybercrime

Once inside the system, hackers are able to move around the system until they find their points of interest - staff and processes that allow them to extract money from the infected system. The worrying thing is that this attack is still active.

February saw some hard hitting Internet security announcements.

First, and in some ways the most shocking, was the announcement of Carbanak, or as the media dubbed it - 'the great bank robbery'. Banks are, of course, institutions that many people believe are immune from cyber threats. The research into this campaign began when a Ukrainian bank noticed that money was being dispensed 'at random' from cash machines. This initial enquiry soon extended way beyond this bank: it became apparent that up to 100 financial institutions had been hit by the same cybercrime gang since August 2013, with the total loss amounting to up to $1billion.

After careful and prolonged analysis we discovered the nuts and bolts of the campaign. The attacks begin with spear-phishing e-mails sent to bank employees, with infected attachments. This gives the hackers their foothold in the bank, from which they are able to conduct espionage, collect data and steal money by mimicking the activities of legitimate bank staff. Once inside the system, hackers are able to move around the system until they find their points of interest - staff and processes that allow them to extract money from the infected system. The worrying thing is that this attack is still active.

Having tracked down administrators' computers, they are able monitor and even physically record everything the infected member of staff does while servicing cash transfer systems. This enables them to transfer money and cash out, either using online banking systems or by manipulating ATMs to dispense cash at pre-determined times when members of the gang are lurking nearby to collect the cash.

Next came the announcement of a targeted attack campaign that the Global Research and Analysis Team at Kaspersky Lab believes surpasses anything seen previously, in terms of its complexity and sophistication. The attackers, known as the Equation group, have been active since at least 2001 and possibly for a lot longer than that. During this time, the group has infected thousands (possibly tens of thousands) of victims in more than 30 countries around the globe.

The group doesn't just infect its victims via the web, but also physical means. Specifically, they use a technique known as 'interdiction', intercepting physical goods and replacing them with Trojanised versions. For example, participants attending a scientific conference in Houston were later sent a CD containing the conference materials: this CD was used to install one of the group's malicious implants on the victim's computer.

Several features of this campaign stand out. First, the group is able to re-write the firmware of more than a dozen hard drive brands, (a) to evade detection and prevent removal (even if the drive is re-formatted) and (b) to create a hidden area on the disk that can be used to store stolen data. Second, the group uses USB sticks to bridge the air-gap between an Internet-connected computer and the isolated network they want to target. Stolen data from the isolated network is stored in a hidden area on the USB stick; and when the stick is taken back to an infected Internet-connected computer, the data is uploaded to the group's Command-and-Control (C&C) servers. Third, the group makes use of a number of zero-day vulnerabilities (i.e. vulnerabilities for which there is no available patch), including some that were later to be used by the attackers behind Stuxnet and Flame.

Finally, there was the discovery of what is believed to be the first full-scale cyber-espionage campaign to be carried out by Arabic cyber-mercenaries. The group, known as Desert Falcons, has targeted multiple high-profile organisations in the Middle East (primarily Egypt, Palestine, Israel and Jordan) and elsewhere. In total, there have been 3,000 victims in over 50 countries across the globe - with over one million files stolen!

As with many targeted attack campaigns, Desert Falcons uses spear-phishing emails, social networking posts and chat messages to try and trick their victims into opening attachments and infecting their computer. In some cases, they use a sneaky coding trick (the so-called 'right-to-left extension override') to disguise the true nature of the attached files, making them look like innocent documents.

You might wonder what a bunch of highly-sophisticated targeted attacks might have to do with us as individuals. But one common thread running through these, and many other, targeted attack campaigns is that individual employees are tricked into giving the attackers an initial foothold in the organisation they want to target. So we all need to be on our guard against such tricks, to avoid becoming the weakest link in the security chain protecting the companies we work for.