An explosive report that hackers have stolen $10 million from U.S. and Russian banks over the past year and a half is drawing skepticism from experts who question whether such an event has really taken place.
The Moscow-based cybersecurity software company Group-IB claimed last week that a gang of criminals known as MoneyTaker had illegally stolen funds through the card processing systems of 16 U.S.-based companies, mostly community banks, in a series of attacks over the past 18 months. It was widely and uncritically reported by many media outlets, but there is no hard evidence this money was actually stolen.
The Financial Services Information Sharing and Analysis Center, to which 7,000 U.S. banks report all cybersecurity incidents, told American Banker it has analyzed the report and found no evidence that corresponds with a set of attacks like those described.
Outside analysts say that’s a red flag that the report’s conclusion is likely untrue.
“You couldn’t have attacks on 16 community banks without [the FS-ISAC] knowing about it,” said Avivah Litan, vice president at Gartner.
Litan argues that though the report probably accurately reported the type of attacks banks are facing, such attacks happen all the time, and the media gave the report’s dramatic conclusions too much credence.
“They can’t just take a threat intelligence company’s report on face value, they have to get verification for it from at least a couple of other sources and they [didn’t] do that,” said Litan.
What’s in the report
That doesn’t mean the report is without value, however.
Group-IB says a previously unknown hacker group called MoneyTaker used fileless malware to attack 20 companies, including 16 in the U.S. that were mostly community banks, starting in May 2016. (Such malware can insert itself in a victim computer’s memory, where it’s hard to detect.)
In an email exchange, Group-IB provided a somewhat different description of the victims, adding further confusion to the issue. It said that in 2016, six U.S. banks and one U.S. service provider were attacked as well as one U.K. software provider and two Russian banks. In 2017, eight U.S. banks, one law firm in an unspecified country and two Russian banks were victims, according to Group-IB. If that data is correct, it would add up to 14, not 16, U.S. banks and one U.S. service provider whose networks were penetrated by MoneyTaker. (A timeline in the report shows 14 U.S. banks and one credit bureau as victims, as well as one U.S. financial services provider whose breach was not confirmed.)
Most of the victims were small community banks breached through their card processing systems, the initial report claimed. “The average damage from each successful attack was 500,000 USD baseline,” the report said.
According to the report, MoneyTaker infiltrated First Data first, and from there attacked its U.S. community bank customers.
First Data denies its network was compromised, but said hackers were able to login to its system through the stolen credentials of bank customers. (This is similar to the Swift breaches last spring, where hackers perpetrated fraud by impersonating real Swift users.)
“In early 2016, STAR became aware that a third party had been targeting small financial institutions to gain access to the institutions’ computer systems,” the company said in a statement. “By accessing the bank’s computer systems, the unauthorized party was able to obtain and use the institution’s login credentials for the STAR Station, where financial institutions administer their STAR-issued debit cards.”
But the Group-IB report only refers to two instances of money being stolen from banks by MoneyTaker.
“It’s worded in such a way that it could have been that one or two attacks were successful,” Litan said. “It’s not saying all 16 were successful. They worded it strangely.”
Litan said the attacks may have occurred, but it doesn’t mean money was stolen. “It doesn’t mean any of this was successful or widespread against multiple banks,” she said. “They don’t name any banks. Just because they were attacked doesn’t mean they got the money. There are attacks going on all the time. A big bank gets thousands of attacks a day. That’s nothing new.”
She also cast doubt on the report’s ability to pinpoint what group was behind the attack.
“A lot of these threat intelligence firms try to get news coverage by saying, this was North Korea or this was Russia,” Litan said. “Some of them may be right, but it’s very difficult to come up with attribution. The government is the only one that can do that because they do human investigations and interrogate people. This was done by analyzing digital footprints; it’s very difficult to say that this was the same actor, same set of tools on the same platform.”
The attacks Group-IB observed might have been perpetrated by two or more groups.
“These are very common tools and tactics; there’s nothing unusual here,” Litan said.
What should banks do with scary threat reports?
Even if they’re flawed or exaggerated in their conclusions, reports like Group-IB’s have value in that they provide detailed descriptions, including malicious URLs and information about methods and tools used, of how an attack allegedly occurred.
A bank can apply those descriptions to its own infrastructure and try to determine if it or its customers are vulnerable to a similar attack. Then it can put the proper defense mechanisms in place.
Bill Nelson, president and chief executive of the FS-ISAC, recommends being part of an information-sharing network and surveying peers to find out if they’ve seen an attack or been affected by it.
“As part of an information-sharing body, you can confirm whether the attack was real or not,” he said.
He pointed out that any time a high-profile security attack on banks hits the press, often a bank’s board of directors will call the CEO, who will call the chief information security officer or whoever oversees security.
“You’re going to get a lot of inquiries at the bank about it, so I think the best thing to do is find out the truth,” Nelson said. “These types of reports are helpful in that they encourage people to raise the bar in their defenses.
“The more we do that, the more secure the nation’s banking system will be.”
Litan recommends hiring third parties that can explain what threats mean to a particular company.
“Most of the threat information out there is not actionable for banks,” she said. “There’s way too much noise in the system and it’s not actionable. That’s the biggest complaint our clients have. What companies need to do is find a company that gives you context around the threat that makes it actionable for your organization.”
But scare tactics in and of themselves have limited value, Litan says.
“What do you do with this report, get more paranoid?” she said. “We already have enough reason to be paranoid.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.