One of the largest data breach cases in the world, Carbanak, discovered this year, saw a data breach of more than 100 banks and the theft of between $500 million and $1 billion. We ask, how did the hackers behind Carbanak do it, and more importantly, how can your company stay safe from cybercrime?


Gaining Access to Sensitive Materials

Forensic analysis of the Carbanak attack determined that the point of initial infection to be a phishing email that utilized a CPL attachment. From there a number of exploitation methods were used, including known vulnerabilities within Microsoft Word. After the hackers executed their shellcode, a backdoor was installed on the system. This backdoor is what’s now referred to as Carbanak. It was designed specifically to be used for data exfiltration, espionage, and remote control over computer systems.

When the hackers got into their victim’s network, they took over their systems manually, with the goal of compromising relevant computers. They then used lateral movement tools to get through the networks to find what they were looking for. This varied based on the specific attack, but they all had one thing in common: a point in which it was possible to extract money.

The hackers behind Carbanak didn’t necessarily understand the inner workings of each bank they targeted, so they had to take special measures to understand each one, most notably through recorded videos that were sent via server to command and control centers. While the quality of these videos was generally pretty poor, when coupled with keylogged data it was enough for them to understand how to manipulate each bank.


Cashing Out

There were numerous ways in which the Carbanak hackers capitalized on the security breach:

  • They remotely controlled ATMs and had them dispense cash without any interaction with the ATM itself
  • The cash from infected ATMs was collected by people working for the hackers
  • They used the SWIFT network to transfer money from mules to the hackers’ accounts
  • Bank account information was altered to allow fake accounts to be created with high balances


Cabarnak Still Ongoing

Though much is now known about the Carbanak group, investigators have been unable to stop the attacks. They do know that as many as 100 targets have been hit. At least half of the financial institutions that were compromised had money stolen. The losses for each bank range between $2.5 million and $10 million, but total losses could be as high as $1 billion. This makes Cabarnak the most successful example of cyber crime by a wide margin.

Because most of the financial institutions that were initially targeted were located in Eastern Europe, investigators began in Ukraine and followed the trail to Moscow. As the investigation continued it became apparent that there were also targets in the United States, China, and Germany. The investigation has now expanded to include Kuwait, Nepal, Malaysia, and numerous regions in Africa. The group continues to operate and experts urge all financial organizations to constantly scan their networks. If they detect Carbanak, or other malware hackers, they should report it to law enforcement immediately.


Protecting Confidential Data via Good Security Practices

This case is not unique–cybercrime is on the rise all over the world. It’s clear from the Carbanak case, and others like it, that companies must prioritize exceptional security practices to avoid a security breach that could have catastrophic results.

Companies must ask themselves the following questions about their electronic media and storage:

  • Are we disposing of old data correctly? Throwing out old hardware disks, tapes, CDs, etc. leaves companies at significant risk for a data breach.
  • How are we reusing media? Media that contains sensitive information must be put through a thorough data removal process before reusing or donating to charitable organizations.
  • How are we tracking where our media goes? The best practices to avoid a security breach include ensuring companies can determine who accessed their data and what information was changed. eFileCabinet includes strong digital trails so companies can instantly see what’s been accessed, who accessed it when, and what information was changed.
  • Are we appropriately backing up our data? Data backup, and redundant backup, are essential to ensure a company can continue running in the event of a natural disaster, fire, or other catastrophic event. While it is important to keep data safe from cybercrime, appropriate data protection should also include measures to prevent a loss of data in the event that a company’s facilities are compromised, damaged, or destroyed.

Cabarnak shows that a company can’t go too far to secure their data. This is especially relevant to the financial industry, but it holds true across most businesses. eFileCabinet offers comprehensive products and services to make compliance, data storage, and data sharing simple and secure. Fill out the form on this page to learn more.