In response to the news that the leader of the ring behind the infamous Carbanak malware, which caused ATMs to spit out cash and caused more than 1 billion euros of losses, has been arrested in Spain, IT security experts commented below.
Mark James, Security Specialist at ESET:
“Without specifics it’s hard to say how the actual investigations work, but often in these cases it could be that the individual concerned either made an error or was lured into a scenario that enabled law enforcement to track his or her whereabouts.
Internet anonymity is not as easy as it’s made out to be, it’s virtually impossible to be completely transparent in the digital universe especially if you are getting the attention of organisations worldwide. You also need help, many of the techniques shown here require others to physically be at the locations. With the widespread use visual tracking around these days it’s extremely difficult to move without being filmed somewhere especially in public places.
It’s unlikely that the money will be returned, some may if it’s able to be traced or stashed somewhere. The gangs have been working for a long time and money obtained this way has a nasty habit of being used for nefarious purposes or used to fund further bad actors.”
Ilia Kolochenko, CEO at High-Tech Bridge:
“I would remain cautiously optimistic about the news for several reasons.
First of all, it’s not crystal clear how the law enforcement agencies managed to identify and apprehend this person. Unfortunately, this arrest may not lead to mass arrests. Many cybercriminals use various methods to cover their identity in a reliable and technically untraceable manner, even among each other, so even the best investigators may not find them. Other cybercriminals, however, start exposing themselves in a pretty stupid manner, for example, by purchasing conspicuous luxury cars, boasting out loud about their criminal business in bars and casinos. Many of these hackers were caught mainly because of their imprudence and, unfortunately, not thanks to the technical capacity of our law enforcement agencies.
This case is rather an isolated arrest so far – many professional cybercriminals enjoy impunity and continue their illicit activities. Law enforcement agencies need more financial support from governments to conduct their investigatory and prosecution activities with more effectiveness and stronger results.
Last, but not least, the remaining cyber gangs will likely take additional precautionary measures to hinder and impede any pending investigations against them.”
Kaspersky Lab welcomes recent law enforcement operation against Carbanak group
“The recent success in the fight against the Carbanak cybercriminal group is very good news for the whole industry and highlights how the exchange of information between countries is especially important in countering cybercrime,” says Sergey Golovanov, Principal Security Researcher in the Global Research & Analysis Team, Kaspersky Lab.
Carbanak is an advanced persistent threat (APT)-like campaign, using targeted attack tools to hit financial institutions around the world for the main purpose of theft.
It was uncovered in 2015 by Kaspersky Lab together with INTERPOL, Europol and a number of other law enforcement authorities based on incident back to 2013. At the time, the group was using a range of tools, including a program called Carbanak. After the publication of Kaspersky Lab’s findings in 2015, the group adapted its tools and started to use Cobalt-strike malware as well as its servers’ names and infrastructure.
The group uses social engineering techniques, such as phishing emails with malicious attachments (for example Word documents with embedded exploits), to target employees in financial institutions of interest. Once a victim is infected, the attackers install a backdoor designed for espionage, data theft and remote management of the infected system, looking for financial transaction systems.
At the time of discovery, Kaspersky Lab researchers estimated that the Carbanak group had stolen up to a $1 billion. Since 2013, the group has hit more than 100 banks, e-payment systems and other financial organizations, in at least 30 countries in Europe, Asia, North and South America, and other regions, stealing more than billions of dollars from victims.
Based on the successful research into Carbanak, in 2016, Kaspersky Lab discovered two groups acting in a very similar way to Carbanak – Metel and GCMAN. They were attacking financial organizations using covert APT-style reconnaissance and customized malware, along with legitimate software and new, innovative schemes to cash out. Other actors have also implemented Carbanak-like techniques, tactics and procedures, for instance Lazarus and Silence.
Given the international scale of these actors’ activities, we believe that there are dozens of people involved in this cybercrime activity. Discovered artefacts in the malicious files and victims’ computers suggest that the creators of the Carbanak malware are Russian-speaking. Although, to perform cybercriminal activities in each country the group generally also looked for a native speaker.
