How cyber criminals offer ‘service’ to even bring a country down 

It is almost confirmed that an organised gang was involved in the recent ‘WannaCry’ ransomware attack that hit more than 150 countries around the world crippling their financial systems

Abhijit Roy

Have you heard of Carbanak, Banswift or Odinaff? if you haven’t then you’re just plain lucky. These are organised cyber-criminal gangs offering ‘crime as a service’ to those who want to rent their services ranging from robbing a bank, to attacking a country’s economic units like power stations, oil rigs, or helping countries to influence the politics of another country. In technical terms, 'crimeware as a service’ refers to organised crime rings offering services such as on-demand distributed denial-of-service attacks and bulletproof hosting to support malware attacks.


It is almost confirmed that one such organised gang was involved in the ongoing ‘WannaCry’ ransomware attack that has hit more than 150 countries around the world crippling their financial systems, including India. If you have come across ATMs that have been shut down in the last few days then you can rest assured that it was a victim of the ransomware attack regardless of the fuzzy explanations being dished out by the bank authorities.


These criminals are using highly sophisticated programmes to create very simple tools to break into your bank account, steal your password and ID to transfer your money to their own systems or hack into corporate systems to lock their servers and hold them to ransom till such time they pay up to release the malware, or the malicious software that has caused the trouble. The most dangerous part of this is that in the underground markets, ransomware toolkits can fetch up to $1,800, according to cybercrime experts, and they are often sold as ‘Crimeware-as-a-Service’.


Alarmingly, Crimeware-as-a-Service is rapidly becoming commoditised. This means that the prices for hacking software to malware are becoming more affordable and accessible to anyone. Imagine if such malware is available to terror groups who could possibly use to break into a country’s nuclear installation and in an apocalyptic scenario trigger a missile launch. Incidentally, North Korea has been identified as a country that has used malware to attack banks in different countries including Bangladesh to steal money. This brings into focus the rising challenge of nation states launching cyberattacks against each other’s economic targets or influencing political decisions. Brexit votes and the US elections in 2016 are now being investigated for such attacks by Russian hackers.

Russia, too, has fallen victim to CyberGangs like cyber heist by the Carbanak Gang. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has, in all probability, stolen about $1 billion, but mostly from Russian banks

Russia, too, has fallen victim to CyberGangs like cyber heist by the Carbanak Gang. The gang derives its name from the banking malware used in countless high-dollar cyber heists. It is perhaps best known for hacking directly into bank networks using poisoned Microsoft Office files, and then using that access to force bank ATMs into dispensing cash. Russian security firm Kaspersky Lab estimates that the Carbanak Gang has, in all probability, stolen about $1 billion, but mostly from Russian banks.


This marks a major shift in the CyberGangs’ strategy of targeting banks themselves, instead of customers, as the heist can be much more rewarding. The ‘Banswift Group’ managed to steal $81 million from Bangladesh’s central bank by exploiting weaknesses in the bank’s security to infiltrate its network and steal its Swift (Society for Worldwide Interbank Financial Telecommunication) credentials, allowing them to make the fraudulent transactions.


Another group, known as Odinaff, was also found to be mounting sophisticated attacks against banks and other financial institutions. It too appeared to be using malware to hide customers’ own records of Swift messages relating to fraudulent transactions carried out by the group. Symantec, a US-based cyber security software and applications company, uncovered evidence linking North Korea to attacks on banks in Bangladesh, Vietnam, Ecuador and Poland.


A serious concern to CyberCops trying to crack the cyber crime codes, is that the attacks are successful in stealing very large amounts and causing severe disruptions with rather simple tools or strategies and even while the first wave of attack is stopped they are coming back with a even more audacious onslaught within days or even hours. Carbanak , for instance, returned to their victims with significantly upgraded malware. This demonstrates the speed and versatility of this threat group.


The modus operandi is even more criminally dazzling in its sheer simplicity and finesse of execution. The attacks began via social engineering. An attacker called the customer contact line saying that they were unable to use the online reservation system and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email and hung up when his attack was confirmed successful. The email attachment was a malicious Word Document that contained an encoded VBS (Visual Basic Script) script capable of stealing system information, desktop screenshots, and to download additional malware.


One of the world's most widespread forms of banking malware has taken on a more advanced form of attack in order to dupe victims of some of the most high-profile banks in the world into giving financial details and login credentials. Gootkit, which has been in operation since 2014, is one of the most active.


Trojan software in the financial world that—instead of infecting a banking user’s device—dupes victims into visiting a website that looks exactly like that of their banks including the URL address, but it’s a fake version designed to steal the credentials and then use it to break into the account.


An even more serious threat has been found in the form of a collaboration between CyberGangs of different countries, often being backed up by the countries themselves to disrupt economic assets. Last year, Ukraine’s power plants were shut down by such attacks. For 18 days in the month of April this year, a team of computer security experts in the US found themselves engaged in a digital version of hand-to-hand combat with a group of hackers determined to break into the network of a military contractor.


Every time the hackers, believed to be Iranian, gained a toehold in one server, the defenders shut down their access. A few days later, the hackers would come in through another digital door, and again the defenders would block them. While dueling with the hackers, experts from a Silicon Valley cyber-security firm encountered something that they had never seen before when dealing with an Iranian cyberattack: a Russian connection.

Russian hacker-for-hires are auctioning their skills and tools to the highest bidder. This is altering the cyber war scenario dramatically, like terrorist groups hiring their services for ransom, kidnapping, robbing, waging war or even bringing countries to conflict


Specifically, they found that the Iranians were using a tool set developed by a known Russian hacker-for-hire and sold in underground Russian forums. The tool had popped up in connection with an attack in Ukraine in 2015, when Russian hackers successfully shut down parts of Ukraine’s power grid. But the intrusion represented a “historic” partnership between Iran’s hackers and Russians who are auctioning their skills and tools to the highest bidder. This is altering the cyber war scenario dramatically, like terrorist groups hiring their services for ransom, kidnapping, robbing, waging war or even bringing countries to conflict.


As the world moves toward billions of connected devices in the ‘Internet of Things’ era of the Fourth Industrial Revolution, the possibilities of such gangs hacking into the controls of unmanned devices and weaponising them is a chilling thought. We can only hope that our CyberCops will be armed with even more sophisticated intelligence and technologies to stay a step ahead of the CyberCrooks.


Abhijit Roy writes on technology issues. He is based out of Kolkata.

For all the latest India News, Follow India Section.

Published: 22 May 2017, 9:08 AM