Why Kaspersky's Bank Robbery Report Should Scare Us All - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
Commentary
2/18/2015
09:15 AM
Susan Nunziata
Susan Nunziata
Commentary
100%
0%

Why Kaspersky’s Bank Robbery Report Should Scare Us All

So, you don't work for a financial institution? Don't think you're off the hook for the kind of theft discussed by Kaspersky. Banks are certainly not the only organizations moving around massive amounts of money every day.

9 CIO Tech Priorities For 2015
9 CIO Tech Priorities For 2015
(Click image for larger view and slideshow.)

I'll be the first to admit that every time another major breach story hits the mainstream media headlines, I'm the one ready to don the tinfoil cap and return to communicating only by pen and paper. Even with that as my default setting, I found Kaspersky Lab's Great Bank Robbery Report, released Monday, to be particularly nerve-wracking.

It's not the reported $1 billion stolen or the global scale of the breach that frightens me. Nor is it the potential for the attacks to threaten the safety of my personal identity (the Anthem breach has that covered, thank you very much). No, my night terrors here are the details about who the hackers targeted in the enterprise, and how they executed their crime.

As a banking consumer, I'm grateful for the fact that the so-called Carbanak hackers found a way to siphon money out of the targeted financial institutions without actually hurting the individual account holders. As someone who lives and breathes enterprise IT, I'm horrified at the fact that their spear-phishing campaign was so successful. That's right, they gained entry into financial institutions the old-fashioned way, by sending what security blogger Brian Krebs described as malware-laced Microsoft Office attachments that targeted very specific employees.

[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]

Targeting employees via malware is a technique that is so old it's almost laughable. Hard to believe it still works, right? It's what happened once that hackers were inside that's really scary. The malware would crawl until it found the employees who administered the cash transfer systems or the bank's ATMs.

Kaspersky Lab sums things up quite nicely in its report, "Carbanak APT: The Great Bank Robbery":

Advanced control and fraud detection systems have been used for years by the financial services industry. However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections by, for example, using the industry-wide funds transfer (the SWIFT) network, updating balances of account holders, and using disbursement mechanism (the ATM network.)

The report goes on to note that, rather than exploiting a vulnerability within a particular service, these attackers studied internal procedures and pinpointed who within the organizations they should impersonate in order to authorize the movement of funds.

Here's a handy explanation of how the attack worked:

(Image: Courtesy of Kaspersky Lab)

(Image: Courtesy of Kaspersky Lab)

I'm far from an expert on security. I've never even played one on TV. Those who are smarter than me may find my fears unfounded. But the thought that people pretending to be senior executives in my company could be authorizing the transfer of huge sums of money scares the bejesus out of me. And, what if the hacker impersonating my boss informs me that I should authorize the transfer of said sums? What's the company's liability? What's the employee's liability? Would we both

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.

Susan Nunziata leads the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community.Nunziata was most recently Director of Editorial for EnterpriseEfficiency.com, a UBM ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Threaded  |  Newest First  |  Oldest First
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
2/18/2015 | 1:23:14 PM
Fun with security
Definitely not alone when it comes to the reality of current IT and the risks that come from it.  We've seen social engineering mixed with malware for awhile now, and the fact that these things just seem to find larger holes to exploit makes it so much worse.  Security training can definitely help, but the reality is that these types of attacks work phenomenally well when it comes to exploiting human behavior, and sadly, even with the right tools in place, these holes are destined to exist.
macker490
100%
0%
macker490,
User Rank: Strategist
2/18/2015 | 2:44:41 PM
Re: Fun with security
"the hackers got around our most advanced security systems"

hardly

the problem is they didn't have any security systems: ( short list )

1. use an O/S that cannot be modified by the activity of an application program

2. use public key encryption to authenticate transmittals: transactions, e/mails, software updates, forms, ...

3. use named spaces to isolate the activity of application programs

 

if we continue doing business as we have in recent years hacking will continue to get worse.   have you had enough yet or is this still just "part of the cost of doing business " ?     the whole mess stinks.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:25:56 PM
Re: Fun with security
@macker490: So what's the deal then? Is it just more cost effective for corporations to allow themselves to get hacked like this than to invest in the resources required to protect themselves? Are they so well covered by insurance policies, and making so much $$, that even this level of money walking out the door is small change to them?
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:23:02 PM
Re: Fun with security
@Stratustician: What perplexes me most is how corporations of such size and scope can have such a hard time keeping one step ahead of bad actors. I suspect, more than anything, that the problem is one of deciding where to invest $$--in security & trainng, or in stockholder pockets. Until the equation shifts and breaches become so crippling that they affect stockholder dividends, I suspect we'll just see attacks like this becoming so commonplace they won't even scare us anymore.
zerox203
100%
0%
zerox203,
User Rank: Ninja
2/19/2015 | 6:45:26 AM
Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
The most striking thing to me is actually how mundane this attack is. Yes, it required great tact (for lack of a better word) and specificty on the part of the attackers, but it ran through a patch vulnerability in Microsoft Office and used a social engineering e-mail attachment to get itself running. I didn't even know banks used Microsoft office. They didn't use a sophisticated packet-sniffing tool (or maybe they did at some point), they used monitor capture to physically look at someone's screen, watch what they were doing, and copy it. Like macker490 is saying, these are not new techniques - they're old techniques with new life in them. As you pointed out, Susan, these techniques could work on anyone - all it takes is a hacker that knows what to look for the way these guys knew what to look for in bank software. Maybe that's what makes them most dangerous.

One thing I have to disagree with Mr. Krebbs on is the issue of mitigation vs prevention. Yes, IT security focuses on mitigation and DR rather than prevention. It may sound cool to say that that's because we're not up to the challenge of preventing breaches, but that's just not true. It's when a breach will occur, not if. It's the simple law of diminishing returns. Every amount you secure yourself above, say, the 90th percentile, costs exponentially more. Businesses (especially banks) are about making money. If a breach is unlikely and will cost you less than securing against it, then yes, you're in the right spot. Preparing thoroughly for disaster recovery is not a sign of weakness but a sign of pragmatism, and many actually under-invest here. I will agree that tons of businesses don't get this balance right, though, and not patching your office software defnitely falls on the wrong side.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:32:22 PM
Re: Why Kaspersky's Bank Robbery Report Should Scare Us All
@Zerox203: As the Anthem breach also showed, it all comes down to how these organizations make money. Anthem didn't encrypt its data because it wasn't required to do so by law. The cost, or inconvenicence, of encryption was enough of a deterrent for them, because they faced no hefty fines if they didn't do it. Like banks, health insurance providers are for-profit organizations whose main goal is to keep their shareholders happy.

That said, you make a good point about playing the odds and finding the right balance between investing in prevention and leaving yourself open to a breach. In the case of what the Kaspersky report revealed, though, it's hard to believe that patch updating would have impacted the bototm line of the banks involved. It seems a bigger issue -- not enough employees in IT? sloppy governance -- than just an accouting problem.
bwjustice
IW Pick
100%
0%
bwjustice,
User Rank: Apprentice
2/19/2015 | 9:51:20 AM
Brian Krebs
The part that reads "security blogger David Krebbs" should refer to Brian Krebs instead. He's written a very good book lately, SPAM Nation. You should read it. That will probably scare the pants off you too.
Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:41:39 PM
Re: Brian Krebs
@bwjustice: Thank you for noticing that error, it's been corrected. I am clearly living proof of how sloppy humans can be, especially when working in haste and multi-tasking. If Mr. Krebs happens to have read this, I hope he accepts my apology!

I'll be picking up SPAM Nation for my weekend reading list. And if you never hear from me again, you'll know why.

:)
impactnow
100%
0%
impactnow,
User Rank: Author
2/19/2015 | 11:35:14 AM
Keeping up with the Hackers

Susan yes very scary and it makes the point for multiple levels of authorization required when money is moves in large quantities and tracking of actions as related to money movement. The vulnerabilities still exist in so many places its type for cyber security to start catching up with the hackers.

Susan_Nunziata
100%
0%
Susan_Nunziata,
User Rank: Strategist
2/19/2015 | 10:44:31 PM
Re: Keeping up with the Hackers
@impactnow: What will finally have to happen for corporations to invest where they need to? How big do the breaches have to get? How much damage has to be done to individuals? Or will this keep on escalating endlessly?
impactnow
50%
50%
impactnow,
User Rank: Author
2/25/2015 | 11:41:44 AM
Re: Keeping up with the Hackers

Susan I completely agree. It's getting to a point that people expect breaches it's very sad. I hate to over regulate but I think if fines were levied against companies for security breaches that were a result of their negligence it might speed up security efforts at some organizations.

batye
50%
50%
batye,
User Rank: Ninja
3/2/2015 | 12:15:31 AM
Re: Keeping up with the Hackers
@impactnow, same here I could not agree more... in my books it would make sense Corporate responsibily is a must be in any case....
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
2/20/2015 | 7:31:10 AM
Putin's Kaspersky
What scares me most is that these reports come from Kaspersky. Mr. Kaspersky is a far too close friend of Mr. Putin and anything that comes out of Kaspersky Labs should not be taken with just a grain of salt, but a full truckload of road salt. Kaspersky Lab might identify these things, but I am sure they take up on that idea, improve it, and pass it on to the Russian government.
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
2/20/2015 | 10:05:47 AM
Re: Putin's Kaspersky
@moarsauce123 I don't know how much truth there is to that.  Kaspersky Lab is actually incorporated in the UK, despite having lots of Russian employees, they do lots of work with huge government agencies such as Interpol and Europol. Do they have lots of employees in Russia, ofcourse considering if you look at where a large pool of employees with the right skillsets for researching threats it makes sense to have folks from there.  Just like we see Israeli and US based security companies with high ratios of employees based in those areas.  But the fact that they are putting out public information about "here are the risks" and not pinning it to specific entities like other news outlets have done or that would be an easy way to shift blame to other governments, shows a bit about the character of the company.

With that logic, what if Trend Micro or McAfee had released the same info.  Would it be viewed the same way?

Just my 2 cents.
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 1:09:44 PM
Re: Putin's Kaspersky
@moarsauce123 I don't know how much truth there is to that.  Kaspersky Lab is actually incorporated in the UK, despite having lots of Russian employees, they do lots of work with huge government agencies such as Interpol and Europol.


I agree. There would be diversity in an organisation but that doesn't mean we would frame a being just because of his/her place of origin. This gives birth to false workplace ethics. 
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 1:33:39 PM
Re: Putin's Kaspersky
@yalanand: No, but companies should screen their employees better, evaluate their mental conditions and keep monitoring suspicious activity, now that might seem intrusive towards the singular privacy of an employee but it is needed to keep whistle blowing and damages in check.
batye
50%
50%
batye,
User Rank: Ninja
3/2/2015 | 12:14:13 AM
Re: Putin's Kaspersky
@SachinEE agree, but in mind we only see begining of the problem or just tip of the mountain... as it gonna be happening more and more... sad reality...
mak63
50%
50%
mak63,
User Rank: Ninja
2/22/2015 | 1:15:51 AM
Re: Putin's Kaspersky
Kaspersky Lab might identify these things, but I am sure they take up on that idea, improve it, and pass it on to the Russian government.

I believe you should provide some facts or evidence of such bold statement.
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 12:52:11 PM
Re: Putin's Kaspersky
Kaspersky Lab might identify these things, but I am sure they take up on that idea, improve it, and pass it on to the Russian government.

I believe you should provide some facts or evidence of such bold statement.


I believe there is a backdoor whistle blower to every company that leaks out data to other fences of government, be it knowingly or unknowingly. 
TerryB
50%
50%
TerryB,
User Rank: Ninja
2/20/2015 | 2:32:46 PM
Not ready for prime time
It just amazes me that there is no backlash yet on using Windows and Linux in business. The level of corruption which can be applied on the core o/s is beyond belief. You can't do that stuff to IBM mainframes or the IBM i5 server my company uses.

I know people love to argue that if Windows/Linux patched and locked down correctly, this stuff won't happen. But the fact a running o/s can be corrupted for any reason means the design is fundamentally flawed in the first place. I read the detailed report Susan referenced in article, that malware was changing stuff in a context that shouldn't have been allowed if it was using God's crendentials.

For example, I'm a full admin on my IBM i5 server. But under no circumstances can I touch what IBM calls the LIC (Licensed Internal Code) or directly manipulate memory. They have a level of abstraction between the commands I can use and that code which touches the physical resources of the hardware. Obviously Windows and Linux could use a little of that type of foresight.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/20/2015 | 6:27:28 PM
Stalking the intruder
Yes, this example of sly and persistent intrusion is alarming. I think we need behavior analytics that learn from routine system ops and recognize an activity that is out of line. Once it spots such a thing, it raises an alarm or shuts it down. I also agree with TerryB. Security was such a concern on the IBM mainframe when it first came out that the MVS operating system, when asked by an application process to do something, would query, Who is  your owner? If no clear answer came back, it killed the process. With Windows, it's more like welcome the next visitor, check his credentials later.
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 12:53:45 PM
Re: Stalking the intruder
With Windows, it's more like welcome the next visitor, check his credentials later.


Windows Firewall is a terrible example of how a company can waste millions of dollars of resources for a design that is not even remotely beneficial.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 1:42:15 PM
Re: Stalking the intruder
I think Windows 10 would come with a better protection from hackers because Microsoft has had us quite hyped up about the facilities it will be providing and the support base it has promised to establish sinec the support team for windows 8 was just terrible. 
batye
50%
50%
batye,
User Rank: Ninja
3/2/2015 | 12:17:03 AM
Re: Stalking the intruder
@SachinEE, with Windows 10 it more like big Microsoft hype for now until we see it on the market and see how it perform in the real world...
yalanand
50%
50%
yalanand,
User Rank: Ninja
2/22/2015 | 12:57:41 PM
Re: Stalking the intruder
Yes, this example of sly and persistent intrusion is alarming. I think we need behavior analytics that learn from routine system ops and recognize an activity that is out of line. 

Even more so these days, since everything is going up into the cloud and cloud as we know has a lingering issue of "safety and security" that still hasn't been solved. Old school identity management is severly backdated.
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
2/23/2015 | 1:37:01 PM
Re: Stalking the intruder
@yalanand: I agree with you on this one. Cloud systems offer better management of resources but the extent of security in cloud is wavering into a blurry line because security systems in cloud are just, plain, bad. Companies that have taken upto the cloud have their own team facilitating security for their utilities, and in the process investing millions of dolalrs in cloud security. I think in 2 to 3 years cloud security would come cheaper.
batye
50%
50%
batye,
User Rank: Ninja
3/2/2015 | 12:19:20 AM
Re: Stalking the intruder
@yalanand interesting point... as this days many Co. do not want to spend... keep relaying on old approach toward security... keep stepping on the old rake... sad reality of down turn economy...
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
News
What's Next: AI and Data Trends for 2020 and Beyond
Jessica Davis, Senior Editor, Enterprise Apps,  12/30/2019
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll