Hollywood lie: Bank hacks take months, not seconds

A modern bank cyber-heist is methodically planned and usually takes months.

After pilot test, British bank declines to roll out Windows Hello Lloyds Banking Group tested out biometric authentication using Windows 10 last year.

A report published today by cyber-security firm Bitdefender gives one of the best views we ever got into the inner-workings of a modern bank heist, and more particularly, a bank heist carried out by Carbanak, a group of hackers responsible for stealing more than one billion euros from banks all over the world.

Methodical, slow, and paying close attention to not getting discovered, a Carbanak hack is like a slow burning fire that makes its way across a forest.

Unlike Hollywood movies where bank cyber-heists happen within seconds, in the real world, hackers spend weeks inside banks' IT systems, gathering intel, and preparing for the day when they're ready to spring into action and steal funds.

Everything about a modern-day bank cyber-heist is... boring, even the hacking, which involves good ol' techniques like spear-phishing, vulnerability scanning, domain controller compromise, lateral movement, and the use of off-the-shelf, legitimate tools like Cobalt Strike.

It all begins with an email

Carbanak hackers are the ones who perfected bank cyber-heists, and the reason they managed to steal over one billion euros.

The group's favorite method of breaching banks is the tried and tested technique of spear-phishing. Carbanak hackers target bank employees with waves of malicious emails crafted to fool even the most attentive employees.

The group's spear-phishing abilities are legendary among hacker groups, going in some cases as far as targeting tech support or call center operators, to make sure bank employees had opened the malicious documents they've sent over via email.

The group's end goal is to get its malware on a bank's network, regardless of what department they manage to infect -- may it be customer support, accounting, human resources, or IT. It doesn't matter, as the group only wants an initial foothold.

This is because Carbanak's malware is built to create a backdoor on infected systems, which hackers later use to move laterally across networks and departments.

Hacks takes weeks or months -- not seconds

According to a timeline of events reconstructed by Bitdefender's investigators, the hackers take their time, meticulously making their way through the bank's network until they reach systems that store sensitive documents or have access to banking applications.

Carbanak attack timeline

Timeline of a Carbanak attack

Image: Bitdefender

Gaining an initial foothold and expanding this initial access to other nearby systems usually takes a few hours, Bitdefender said, with the hackers "showing experience, knowledge and coordination" during these first steps, where they spread their tentacles to as many systems as possible.

But this is only the beginning. These hacks take days and weeks to carry out, with hackers checking each and every bank computer they manage to breach, thoroughly collecting everything they can.

Hackers steal more than money

According to Bitdefender, hackers aren't only interested in gaining access to computers with official banking apps that can facilitate illicit transactions.

Hackers are also after valuable files -- such as manuals describing banking procedures, installers for the bank's internal apps, documents with passwords for various apps and networks, and about anything they deem valuable.

Files stolen from these systems might look useless for the rest of us, but they may prove crucial in pulling off the current heist/hack without glitches down the line, and they may also be used later on for attacking banks that use similar IT systems or banking applications.

Bitdefender says Carbanak hackers gather these sensitive files on special computers that are designated as exfiltration points, and the data is encrypted and siphoned at carefully selected intervals.

Connections to command servers and exfiltration operations usually last between 20 minutes and an hour, so not to trigger large traffic spikes -- the primary indicator through which Facebook noticed its own breach last year.

All of these operations happen either after working hours or during weekends, to avoid bank employees spotting irregular activity or any security alert that may pop up on a compromised host.

But the end goal is to steal money, and eventually, all the snooping and creeping around the bank's network will allow hackers to get a big picture into how the bank operates and decide on a day to trigger their attacks.

The Bitdefender report details a bank heist during which Carbanak tried to interact with the bank's ATM system to orchestrate a mass-withdrawal operation, but the same group has been seen in the past moving funds from the banks' normal accounts in other incidents.

This group has proven until now that it can adapt to any circumstance, even to situations where it lost crucial members.

For example, the original Carbanak group does not exist anymore because Europol tracked down and arrested the gang's leader in Spain, in March 2018, and Ukrainian police later arrested three other suspects a few months later, in August 2018.

But despite this, the group has continued its operations undisturbed, and continues to target banks to this day.

You can read more about Carbanak's tactics in Bitdefender's new report.

Related cybersecurity coverage: