We have seen many headlines about massive data breaches caused by cyber criminals who steal personal information with the ultimate goal of making money. But sometimes, they go straight for the cash. Kaspersky Lab is reporting that a multinational group of hackers was able to steal approximately USD 1 billion from financial intuitions.
Through a phishing attack involving Microsoft Office files, the thieves were able to gain access to banks' internal networks and install the malware Carbanak. Among its capabilities, Carbanak has the ability to generate and export low resolution videos of screen activity. This allowed the hackers to study the infected companies' processes and infrastructure. Using that knowledge, the thieves then transferred money out of the banks and masked these transfers as normal activity. Most notably, at some institutions, they programmed ATMs to dispense cash, which accomplices then collected.
In some cases hundreds of machines at an individual institution were infected and then monitored for two to four months. While the thieves usually limited themselves to about USD 10 million per institution, some banks suffered greater losses. One bank suffered USD 7.3 million in ATM theft plus a loss of USD 10 million due to the exploitation of their online banking platform. Around 100 banks were infected, and about half suffered financial loss. Most banks operated in Russia, the U.S., Germany, China, and Ukraine. Evidence suggests that the thieves may be expanding in Asia, the Middle East, Africa, and Europe.
The two greatest vulnerabilities in most computer systems are the users themselves and systematic organizational failures to update software. Both are at work here. Employees were tricked into clicking on malicious email attachments. Next, the malicious code that installed Carbanak exploited three known vulnerabilities, all of which have associated security patches-patches that were not installed.
From an insurance perspective, the widespread adoption of common software tools leads to a correlation of cyber risks. In this case,the ubiquitous use of Microsoft Office products meant that the same vulnerability could be exploited repeatedly on many computer systems. An insurer of financial institutions should note that banks in disparate countries were linked by common software and procedures. In these cases, human weaknesses and vulnerable software created a perfect storm of opportunity.