The potential fallout from a gang of cyberthieves spreading the so-called Carbanak malware to steal $1 billion from banks across the world is far more limited than media reports would suggest, according to top officials at two U.S. groups tracking cyber threats.
Executives with the Financial Services-Information Sharing and Analysis Center and the American Bankers Association said no U.S. banks have been affected and that the threat has been well known for some time.
"The Carbanak attacks are old news, something we've known about for months," said William B. Nelson, president and chief executive of the FS-ISAC, a Washington organization that facilitates the sharing of security threat information among banks. "We had shared the threat indicators and briefed our members."
The FS-ISAC's members include 60% of U.S. depository institutions, and all the largest banks have executives on the organization's threat intelligence committee. The committee members have looked for signs of the Carbanak malware and said their companies have not been impacted.
"I have a high degree of confidence that these institutions aren't somehow denying an impact," said Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA.
The well-coordinated "Carbanak Gang" hackers operate out of China and Russia, attacking banks by sending fake, malicious emails to their employees. When employees click on the email attachments, they download malware onto their computers, which exploits a vulnerability in Microsoft Word to break into the bank's servers. It lurks for a long time, learning about the bank's data, systems and processes and can even take command of video cameras on employee accounts to secretly spy on them. When the thieves take money, they do so by emulating legitimate employee activities in order to be less detectable.
To be sure, both the ABA and FS-ISAC acknowledged that U.S. banks may be targets of Carbanak, an advanced persistent threat and a strain of malware designed to infiltrate banks (some security researchers call it Anunak). But they said that so far, at least, U.S. banks have not been compromised.
"I would anticipate that U.S. companies are targeted," Johnson said. "There's always an interest in targeting U.S. companies; that's one of hackers' activities of daily living."
On the other hand, he observed, "It's one thing to be a target, which we are all the time, it's another thing to be exploited and infiltrated."
FS-ISAC and ABA member banks have been evaluating their systems to determine whether they've seen any signs of Carbanak, and nothing has turned up, Johnson said.
The nature of an advanced threat like Carbanak is that it's difficult to detect. Johnson acknowledged that it's possible that a U.S. bank could be a victim and not know it.
However, he said the large cashouts involved in the Carbanak scheme -- in some cases, hackers transferred out or withdrew as much as $10 million in a single transaction would have been noticed at a U.S. bank.
Kaspersky Lab researchers counter that the surveillance the Carbanak Gang has done on bank employees has given them the detailed knowledge they need (of items like withdrawal limits and compliance requirements) to do transactions in sizes that would fly under the radar.
But Johnson said the threat appears mostly against Russian banks.
"That doesn't mean our banks shouldn't be watchful as the threat continues, because as long as the criminals are successful and continue to advance, we need to be aware of that as a potentially," he said. "But it appears to be fairly concentrated on Russian banks at this point."
Chris Doggett, managing director of Kaspersky Lab North America, the company that first publicly reported the Carbanak threat, said the Carbanak Gang has targeted three dozen U.S. banks.
"We compromised a significant number of command and control servers used in these attacks," he said. "The hackers had software for managing their attacks across banks, and we could see information about those banks and their systems. We saw a number of U.S. bank targets, and we know definitively that at least one major U.S. bank was used as part of the Carbanak operation."
Doggett is skeptical of claims that no U.S. banks have been impacted.
"I'm not sure if it's feasible for somebody to go and talk to every bank that's out there in the U.S. and get an affirmative statement back from them, just given the amount of time it would take to do that," he said. "We know in many cases banks have been compromised but didn't know it yet. So even if you got a statement that they're clear, that doesn't necessarily mean they're clear. Given the amount of diagnostic information available, I'm not sure banks have been able to do all the tests to make that statement factual and definitive.
"We know this is a very sophisticated set of individuals who have done a very good job at remaining covert," he added. "To dismiss out of hand and say we weren't affected is a pretty risky position to take."
FS-ISAC and ABA executives said they are carefully watching the situation.
"We absolutely take it seriously," said Andrew Hoerner, spokesperson for FS-ISAC. "We've shared information amongst members, there were briefings from multiple vendors, Kaspersky and others, and there were select briefings between members of law enforcement as appropriate. It's something to keep an eye on. Malware and advanced persistent threats are things banks have to deal with constantly and be vigilant about. This is just one more in the mix."
Johnson views Carbanak as a "teachable moment."
"It gives financial institutions the warning, once again, that any environment can be susceptible to these kinds of threats and the methods of attack can be rudimentary, whether it's spearphishing or otherwise," Johnson said. "We want to make sure our financial institutions are aware of what this looks like and that employees may be vulnerable as a point of entry."
News of a cyberheist like Carbanak "should serve to make banks hypervigilant," said Avivah Litan, vice president of Gartner.
"You can't relax. The lesson learned is these guys do a lot of reconnaissance and they try to imitate regular employee behavior and this is further evidence of that. The problem everywhere, not just at banks, is people don't monitor employees closely enough."
While U.S. banks are scrambling to improve security, they haven't had the focus and the tools, she said. "We are a banking system under attack. It's not a pretty situation."
The Carbanak threat calls for a new level of security, Doggett argued.
"What we saw with Carbanak was a new attack template," he said. "They took a lot of things out of cyber espionage. This is troublesome to banks because they're very attractive targets and they don't have good defenses for some of the tactics these guys were using."
U.S. banks ought to take a close look at three things, he said: the way the attackers break into companies (using spearphishing and Carbanak malware); the surveillance and spying they did once they got inside the bank, as well as privilege escalation and the ability to take over legitimate accounts; and their ability to manipulate balances in e-payment and online banking systems.
Doggett draws an analogy to a physical robbery.
"If you're a bank and you see on your night video camera there's a guy trying to pick the lock on the back door of the bank, what do you do? It would be totally irresponsible to say, 'He didn't get in last night so I won't worry about it.' If you know somebody's trying to break into your bank, that's important information to know."