This new Bitdefender forensic investigation reveals a complete attack timeline and behaviour of a notorious financial cybercriminal group, known as Carbanak.
In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organisations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.
While most forensic investigations focus on offering a highly technical analysis of the payloads used by the Carbanak group, Bitdefender’s investigation offers a complete timeline of events, from the moment the email reached the victim’s inbox to the moment of the heist.
Carbanak is one of the most prolific APT-style cyberattacks, specifically targeting the financial sector. Discovered in 2014, the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process.
Banks in countries such as Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia have allegedly been targeted with spear-phishing emails, luring victims into clicking malicious URLs and executing booby-trapped documents.
The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns, plotting and performing financial heists of financial institutions. Following an investigation led by law enforcement in cooperation with cybersecurity companies, the leader of the group was apprehended in Alicante, Spain, on March 26th, 2018.
Bitdefender’s forensic analysis revealed some key compromise tactics:
Financial institutions in Eastern Europe remain the primary focus of the criminal group, which uses spear phishing as the main attack vector
The presence of Cobalt Strike hacking tools is the key indicator that the financial institutions were targeted by the Carbanak cyber-criminal gang
In the reconnaissance phase, data related to banking applications and internal procedures was collected and prepared for exfiltration, to be used for the final stage of the attack
Infrastructure reconnaissance mainly occurred after business hours or on weekends to avoid triggering security alarms
It only took attackers a couple hours from initial compromise to fully established foothold and lateral movement, showing experience, knowledge and coordination
The final goal of the targeted attack was to compromise the ATM networks, potentially to cash out at ATMs in a coordinated physical and infrastructure criminal operation.