News: The Hack of the Century!

The Hack of the Century!

The Hack of the Century!

Although this century is still young, with little fanfare we may have just witnessed the "Hack of the Century." AV software developer Kaspersky of Russia recently announced that they found that some hackers have stolen over $1 billion from banks around the world!

Advanced Persistent Threat (APT)

Advanced persistent threat, or APT, is a term that has come into wide use in recent years among the information security community. It was coined to cover the type of threats that come from highly sophisticated hackers, usually state-sponsored, that are advanced in their techniques and persistent in their approach.

APT has most often been associated with China's state-sponsored hacking from the West's perspective. The rest of the world might regard NSA's hacking and spying as APT. In any case, it has generally been limited to state security issues, cyber warfare, and cyber espionage. In the present case, it has morphed into cyber theft according to Kaspersky.

Nothing Like It in History

This group of hackers have accomplished what bank thieves have been trying to do for hundreds of years. With little fanfare and no guns or other weapons, this group of hackers has committed the heist of the century!

What Happened?

Apparently, the cyber thieves in this case sent spear phishing emails to numerous banks around the world. Spear phishing is differentiated from phishing in that spear fishing has a very sharp point. These are emails that are specifically crafted to entice one chosen person to click on a link. When this person clicks on the link, their computer is compromised and then the attacker can begin to attack other systems within the network.

Who said social engineering doesn't work any more?

Carberp Exploit

When the initial victims clicked on the link sent to them (only one person of thousands within an organization has to click), the carberp malicious code is installed on their machine. These links or files were CPL (control panel) and Microsoft Word documents. The attackers then infected other systems on the network and used screenshots, videos, and keyloggers to study the internal workings of the financial institution.

Usually, they studied for months before they had enough information to begin to wire money out of the banks. In some cases, they even created phony bank accounts and then withdrew the money from ATMs.

Image via Kaspersky

The Losses

The attackers were careful not to focus the attack on a a single financial institution. At each bank, they withdrew $2.5 to $10 million, but they did this to hundreds of institutions. No depositor funds were lost as these funds came from the institutions reserves, rather than individual deposit accounts.

Image via Shutterstock

Affected Institutions

Initially, the banks affected were primarily within Russia, the U.S., Germany, China, and the Ukraine. The fact that both the Ukraine and Russia were among the initial targets would lead one to believe that the attack source is within either of those two countries, but not necessarily. These attacks are continuing and new targets are being found every day with Malaysian, African, and Middle Eastern banks the new targets. By the time these guys are done, their take may be in the billions!

Image via Kaspersky

I think that this hack re-emphasizes what I have been saying here at Null Byte for awhile. That is, hacking is the MOST important skill of the 21st century, for good or ill. Hacking is being used in cyber espionage, cyber warfare, industrial espionage, and cyber crime, to name but a few activities.

Hacking and hackers will change the world!

Cover image via Shutterstock (1, 2)

12 Comments

I've been retweeting this since first sights, more visibility and explanations are crucial when trying to get to people's awareness!

Thank you OTW for writing about this.

Bunch of Amateurs.
On Brazil thieves stole R$18 billion from one single company (Petrobras).

I don't care which way you slice it; these guys are not amateurs in the slightest. This was a very sophisticated operation.

ghost_

It was sarcasm.
1 billion still is an impressive amount.

I've always had had a soft spot for social engineering; I find it's much more satisfying, but that's just me.

I also love reading about things like this, will have to find more information on it.

ghost_

I guess beating off a human is more satisfying than exploiting the behaviour of a computer. You would guess that people can choose what's right and what's wrong. Apparently, cybersecurity is still a far away place for someone. Is infosec growing too fast to even fully understand it? Social Engineering will always be effective.

And, obviously, here it comes:"There's no patch for human stupidity".

I prefer, "There is no patch for human nature".

ghost_

Well-said guys. Very well-said.

I don't support illegal hacking but I'm curious what they will do next.

Just like in the movie, cool

I love that they only stole the banks money, not money from bank customers.

Share Your Thoughts

  • Hot
  • Latest