中、俄、歐人組駭客集團犯案

〔編譯管淑平／綜合報導〕紐約時報十四日報導，俄羅斯電腦安全公司「卡巴斯基實驗室」（Kaspersky Lab）調查發現，成員包括俄羅斯、中國和歐洲人的犯罪集團，自二○一三年起利用惡意軟體入侵銀行電腦系統竊款，迄今已知卅國逾百家銀行受害，竊取金額至少三億美元（約九十五億台幣），而且竊款行動仍持續進行。卡巴斯基指出，以網路犯罪份子使用的伎倆和隱匿手法來說，本案可能是迄今所見最高明的攻擊案，有如電影「瞞天過海」（Ocean’s Eleven）。

紐時事先取得卡巴斯基實驗室預定十六日公布的報告內容，指稱此案起於一三年底烏克蘭首都基輔一處自動提款機，在無人操作取款的情況下不時地自動吐鈔，卡巴斯基調查後發現，銀行處理每日交易、帳務的內部電腦系統遭惡意軟體入侵。

調查指出，一個包含俄羅斯、中國和歐洲人的犯罪集團，寄發電子郵件給銀行員工，若有人不疑有他地打開，郵件夾帶的惡意軟體Carbanak便會植入銀行內部電腦系統，駭客藉此在銀行系統中尋找具轉帳、遠端連線自動提款機權限的使用者，找到後安裝「遠端登入工具」記錄使用者操作紀錄和擷取螢幕畫面回傳。

進入銀行系統 更改存款數字

駭客如此耐心觀察二到四個月，瞭解銀行作業程序後，利用遠端控制銀行電腦系統開始竊款，途徑包括直接以網路轉帳將錢轉入該集團的假帳號，或控制自動提款機吐鈔，派人在旁守候取錢。不過，最大筆竊款手法是進入銀行帳戶系統，更改存戶存款數字，例如原本一千元改為一萬元，然後將平白多出來的九千元匯出，存戶通常不會察覺有異，銀行也要一段時間才會發現問題。

報告說，至今已有卅國逾百家銀行和金融機構受害，有證據的資料顯示，透過在存戶帳戶動手腳竊款就達三億美元，實際總金額更可能是這個數字的三倍，但幾乎不可能確認總金額，因為駭客為了避免打草驚蛇，每次下手金額頂多一千萬美元，有時金額相當少。有一家銀行光是因自動提款機吐鈔，就損失七百卅萬美元。

受害銀行包括俄羅斯、日本、美國和歐洲的銀行，但基於保密協議，報告未公布名稱。駭客的假帳號設立在中國、美國的銀行，包括摩根大通銀行、中國農業銀行等。美國白宮和聯邦調查局（ＦＢＩ）已聽取簡報，荷蘭及國際刑警組織也在調查本案。

Bank Hackers Steal Millions via Malware

By DAVID E. SANGER and NICOLE PERLROTHFEB. 14, 2015

http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html?_r=0

PALO ALTO, Calif. — In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.

But when a Russian cybersecurity firm, Kaspersky Lab, was called to Ukraine to investigate, it discovered that the errant machine was the least of the bank’s problems.

The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.

In a report to be published on Monday, and provided in advance to The New York Times, Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever — and one conducted without the usual signs of robbery.

The Moscow-based firm says that because of nondisclosure agreements with the banks that were hit, it cannot name them. Officials at the White House and the F.B.I. have been briefed on the findings, but say that it will take time to confirm them and assess the losses.

Kaspersky Lab says it has seen evidence of $300 million in theft through clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The majority of the targets were in Russia, but many were in Japan, the United States and Europe.

No bank has come forward acknowledging the theft, a common problem that President Obama alluded to on Friday when he attended the first White House summit meeting on cybersecurity and consumer protection at Stanford University. He urged passage of a law that would require public disclosure of any breach that compromised personal or financial information.

But the industry consortium that alerts banks to malicious activity, the Financial Services Information Sharing and Analysis Center, said in a statement that “our members are aware of this activity. We have disseminated intelligence on this attack to the members,” and that “some briefings were also provided by law enforcement entities.”

The American Bankers Association declined to comment, and an executive there, Douglas Johnson, said the group would let the financial services center’s statement serve as the only comment. Investigators at Interpol said their digital crimes specialists in Singapore were coordinating an investigation with law enforcement in affected countries. In the Netherlands, the Dutch High Tech Crime Unit, a division of the Dutch National Police that investigates some of the world’s most advanced financial cybercrime, has also been briefed.

Continue reading the main story

The silence around the investigation appears motivated in part by the reluctance of banks to concede that their systems were so easily penetrated, and in part by the fact that the attacks appear to be continuing.

The managing director of the Kaspersky North America office in Boston, Chris Doggett, argued that the “Carbanak cybergang,” named for the malware it deployed, represents an increase in the sophistication of cyberattacks on financial firms.

“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” Mr. Doggett said.

As in the recent attack on Sony Pictures, which Mr. Obama said again on Friday had been conducted by North Korea, the intruders in the bank thefts were enormously patient, placing surveillance software in the computers of system administrators and watching their moves for months. The evidence suggests this was not a nation state, but a specialized group of cybercriminals.

But the question remains how a fraud of this scale could have proceeded for nearly two years without banks, regulators or law enforcement catching on. Investigators say the answers may lie in the hackers’ technique.

In many ways, this hack began like any other. The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait. When the bank employees clicked on the email, they inadvertently downloaded malicious code. That allowed the hackers to crawl across a bank’s network until they found employees who administered the cash transfer systems or remotely connected A.T.M.s.

Then, Kaspersky’s investigators said, the thieves installed a “RAT”— remote access tool — that could capture video and screenshots of the employees’ computers.

“The goal was to mimic their activities,” said Sergey Golovanov, who conducted the inquiry for Kaspersky Lab. “That way, everything would look like a normal, everyday transaction,” he said in a telephone interview from Russia.

The attackers took great pains to learn each bank’s particular system, while they set up fake accounts at banks in the United States and China that could serve as the destination for transfers. Two people briefed on the investigation said that the accounts were set up at J.P. Morgan Chase and the Agricultural Bank of China. Neither bank returned requests for comment.

Kaspersky Lab was founded in 1997 and has become one of Russia’s most recognized high-tech exports, but its market share in the United States has been hampered by its origins. Its founder, Eugene Kaspersky, studied cryptography at a high school that was co-sponsored by the K.G.B. and Russia’s Defense Ministry, and he worked for the Russian military before starting his firm.

When the time came to cash in on their activities — a period investigators say ranged from two to four months — the criminals pursued multiple routes. In some cases, they used online banking systems to transfer money to their accounts. In other cases, they ordered the banks’ A.T.M.s to dispense cash to terminals where one of their associates would be waiting.

Continue reading the main storyContinue reading the main storyContinue reading the main story

But the largest sums were stolen by hacking into a bank’s accounting systems and briefly manipulating account balances. Using the access gained by impersonating the banking officers, the criminals first would inflate a balance — for example, an account with $1,000 would be altered to show $10,000. Then $9,000 would be transferred outside the bank. The actual account holder would not suspect a problem, and it would take the bank some time to figure out what had happened. 

“We found that many banks only check the accounts every 10 hours or so,” Mr. Golovanov of Kaspersky Lab said. “So in the interim, you could change the numbers and transfer the money.”

The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.

Mr. Doggett likened most cyberthefts to “Bonnie and Clyde” operations, in which attackers break in, take whatever they can grab, and run. In this case, Mr. Doggett said, the heist was “much more ‘Ocean’s Eleven.’ ”