I'll be the first to admit that every time another major breach story hits the mainstream media headlines, I'm the one ready to don the tinfoil cap and return to communicating only by pen and paper. Even with that as my default setting, I found Kaspersky Lab's Great Bank Robbery Report, released Monday, to be particularly nerve-wracking.
It's not the reported $1 billion stolen or the global scale of the breach that frightens me. Nor is it the potential for the attacks to threaten the safety of my personal identity (the Anthem breach has that covered, thank you very much). No, my night terrors here are the details about who the hackers targeted in the enterprise, and how they executed their crime.
As a banking consumer, I'm grateful for the fact that the so-called Carbanak hackers found a way to siphon money out of the targeted financial institutions without actually hurting the individual account holders. As someone who lives and breathes enterprise IT, I'm horrified at the fact that their spear-phishing campaign was so successful. That's right, they gained entry into financial institutions the old-fashioned way, by sending what security blogger Brian Krebs described as malware-laced Microsoft Office attachments that targeted very specific employees.
[ Why do hackers keep winning? Read How Malware Bypasses Our Most Advanced Security Measures. ]
Targeting employees via malware is a technique that is so old it's almost laughable. Hard to believe it still works, right? It's what happened once that hackers were inside that's really scary. The malware would crawl until it found the employees who administered the cash transfer systems or the bank's ATMs.
Kaspersky Lab sums things up quite nicely in its report, "Carbanak APT: The Great Bank Robbery":
Advanced control and fraud detection systems have been used for years by the financial services industry. However, these focus on fraudulent transactions within customer accounts. The Carbanak attackers bypassed these protections by, for example, using the industry-wide funds transfer (the SWIFT) network, updating balances of account holders, and using disbursement mechanism (the ATM network.)
The report goes on to note that, rather than exploiting a vulnerability within a particular service, these attackers studied internal procedures and pinpointed who within the organizations they should impersonate in order to authorize the movement of funds.
Here's a handy explanation of how the attack worked:
I'm far from an expert on security. I've never even played one on TV. Those who are smarter than me may find my fears unfounded. But the thought that people pretending to be senior executives in my company could be authorizing the transfer of huge sums of money scares the bejesus out of me. And, what if the hacker impersonating my boss informs me that I should authorize the transfer of said sums? What's the company's liability? What's the employee's liability? Would we both
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.
be fired for embezzlement before anyone ever caught on that we weren't the guilty parties? That scares me. And I think it should scare you, too.
There's nothing new about the fact that the exploit involved an old Microsoft Office vulnerability for which a patch had long since been issued. We already know many organizations are sloppy when it comes to patch updates.
But the level of targeting – heck, let's call it stalking – that was involved in this attack seems pretty sophisticated to my untrained eye. The Kaspersky report noted that, as part of an automated reconnaissance phase, "the Carbanak malware checked victim systems for the presence of specialized and specific banking software. Only after the presence of these banking systems was confirmed were victims further exploited."
[ What did the Anthem breach teach us? Read Anthem Hack: Lessons For IT Leaders. ]
So, where does that leave enterprise IT, and others in your organization? Well, for starters, whatever education we're giving employees about how to identify potential malware can't possibly account for this kind of advanced persistent threat (APT). As Kaspersky stated in its report:
We believe that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through customers. APTs are not only for stealing information anymore.
Here's some advice from Kaspersky on the early warning signs that Carbanak has hacked you:
Sure, at the moment, the targets were financial institutions. It's really a high-tech version of cooking the books. Once the hackers were inside, according to Kasperksy, they were able to set up fake accounts, or add dollar amounts to real accounts, and then authorize the transfer of those sums out of the bank, either to ATM machines or to external accounts, without anybody catching on.
So, you don't work for a financial institution? Don't think you're off the hook. Banks are certainly not the only organizations moving around massive amounts of money every day. All major multinational corporations and government agencies could, potentially, have their finance and accounting systems fall prey to a similar attack.
According to Krebs:
Most organizations — even many financial institutions — aren't set up to defeat skilled attackers; their network security is built around ease-of-use, compliance, and/or defeating auditors and regulators. Organizations architected around security (particularly banks) are expecting these sorts of attacks, assuming that attackers are going to get in, and focusing their non-compliance efforts on breach response.
Have I scared you yet? If not, tell me why. And, if you are as terrified as I am, tell me how you plan to address this in your organization. Let's discuss in the comments section below.
Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization’s IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.Susan Nunziata leads the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community.Nunziata was most recently Director of Editorial for EnterpriseEfficiency.com, a UBM ... View Full Bio