Epic bank heist raised no alarms

Malware let thieves into accounts in 30 nations, report says

MOSCOW -- In late 2013, an ATM in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money were swept up by customers who appeared lucky to be there at the right moment.

But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank's problems.

The bank's internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group -- including Russians, Chinese and Europeans -- how the bank conducted its daily routines, according to the investigators.

And then it impersonated bank officers, not only turning on various cash machines, also but transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.

In a report to be published Monday, and provided in advance to The New York Times, Kaspersky Lab said the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever -- and one conducted without the usual signs of robbery.

The Moscow-based firm said that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the FBI have been briefed on the findings but said it will take time to confirm them and assess the losses.

Kaspersky Lab said it has seen evidence of $300 million in theft from its clients and believes the total could be triple that amount. But that projection is impossible to verify. The numbers are hard to assemble because the thefts were limited to no more than $10 million per transaction, although some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The majority of the targets were in Russia, but many were in Japan, the United States and Europe.

No bank has come forward acknowledging the theft, a common problem that President Barack Obama alluded to Friday when he attended the first White House meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.

The industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement, "Our members are aware of this activity. We have disseminated intelligence on this attack to the members," and "some briefings were also provided by law enforcement entities."

The American Bankers Association declined to comment. Investigators at Interpol said their office in Singapore was coordinating an investigation with law enforcement in affected countries, and working with the Dutch High Tech Crime Unit, which handles investigations for some of the world's most advanced financial cybercrimes.

In many ways, this hack began like any other. The cybercriminals sent their victims infected emails as bait. When the bank employees clicked on the email, they inadvertently downloaded malicious code. That allowed the hackers to crawl across a bank's network until they found employees who administered the cash transfer systems or remotely connected ATMs.

Then, Kaspersky's investigators said, the thieves installed a remote access tool that could capture video and screen shots of the employees' computers.

"The goal was to mimic their activities," said Sergey Golovanov, who conducted the inquiry for Kaspersky Lab. "That way, everything would look like a normal, everyday transaction," he said.

The attackers took great pains to learn each bank's particular system, while they set up fake accounts at banks in the United States and China that could serve as the destination for transfers. Two people briefed on the investigation said the accounts were set up at JPMorgan Chase and the Agricultural Bank of China. Neither bank returned requests for comment.

When the time came to cash in on their activities, the criminals pursued multiple routes. In some cases, they used online banking systems to transfer money to their accounts. In other cases, they ordered the banks' ATMs to dispense cash to terminals where one of their associates would be waiting.

But the largest sums were stolen by hacking into a bank's accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance -- for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what happened.

A Section on 02/15/2015

Upcoming Events