Story image

Mastermind of EUR 1 BILLION global cybercrime gang arrested

27 Mar 18

Europol has announced the suspected leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions around the world has been arrested in Spain.

It was no small effort, requiring a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies.

The cybercrime gang has been prominent since 2013, attacking banks, e-payment systems and financial institutions using the aforementioned malware that they designed.

According to Europol, the gang has assaulted banks in more than 40 countries resulting in cumulative losses of more than EUR 1 billion – the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.

The criminals would send spear phishing emails impersonating legitimate companies to bank employees with malicious attachments. Once downloaded the software would allow the cybercriminals free access to remotely control the victim’s machines and then infect the servers controlling the ATMs.

The money was then cashed out by one of the following means:

  • ATMs were commanded to spit out cash at a pre-determined time where one of the gang members was waiting to collect
  • The e-payment network was used to transfer money out of the organisation and into criminal accounts
  • Databases with account information were modified so bank accounts balance would be inflated, with money mules then being used to collect the money

Head of Europol’s European Cybercrime Centre (EC3) Steven Wilson says cooperation was central to this operation as the mastermind, coders, mule networks, money launderers and victims were all located in different geographical locations around the world.

“The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” says Wilson.

“This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality."

We spoke with two cybersecurity experts about the arrest, and they both remain ‘cautiously optimistic.’

Cybereason senior director intelligence services Ross Rustici says it’s positive news for cybersecurity around the world.

“The manner in which this individual was caught continues to demonstrate the importance of public-private partnerships and the global nature of cybercrime,” says Rustici.

“The inclusion of police agencies in at least five different countries demonstrate how difficult it can be to track a single actor through all of their online activity and the jurisdictional challenges law enforcement faces while pursuing these criminals.”

Rustici says the ultimate downfall was spurred on by what ends up bringing down most organised crime groups – accounting. This reinforces the need for law enforcement to continue focusing on traditional ‘follow the money’ angles as much as cyber forensic capabilities.

“Pinching these types of actors from both a prevention of movement in cyberspace and a reduced ability to enjoy their illicit gains often results in the largest successes for law enforcement,” says Rustici.

“What remains to be seen is whether this arrest will result in a serious degradation of Carbanak’s capabilities or merely a short-term hindrance while the group refocuses its activity."

High-Tech Bridge CEO Ilia Kolochenko says there are several reasons to be apprehensive about the news, the first being that it’s not yet crystal clear how law enforcement managed to identify and apprehend the perpetrator.

“Unfortunately, this arrest may not lead to mass arrests. Many cybercriminals use various methods to cover their identity in a reliable and technically untraceable manner, even among each other, so even the best investigators may not find them,” says Kolochenko.

“Other cybercriminals, however, start exposing themselves in a pretty stupid manner, for example, by purchasing conspicuous luxury cars, boasting out loud about their criminal business in bars and casinos. Many of these hackers were caught mainly because of their imprudence and, unfortunately, not thanks to the technical capacity of our law enforcement agencies.”

Kolochenko says thus far this case is rather an isolated arrest so far with many professional cybercriminals enjoying impunity and freedom to continue their illicit activities.

“Law enforcement agencies need more financial support from governments to conduct their investigatory and prosecution activities with more effectiveness and stronger results,” says Kolochenko.

“Last, but not least, the remaining cyber gangs will likely take additional precautionary measures to hinder and impede any pending investigations against them."

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.