Security Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
Security Now
Hackers and nation states stealing from the banks
04.06.17

popcorn.JPG

For many years now, criminal gangs have stolen money from banks. It used to appear to be a lot more interesting. It used to be a lot scarier. It used to involve men in striped jumpers rushing into vaults with huge bags marked ‘swag’ and some edge-of-the-seat fast get-aways – using horses, vans, cars and even speed boats. Recently it has seemed to appear as rather dull. Of late, it has become a tale of mysterious, unseen people behind keyboards and screens.

 

The ‘excitement’ of the past fuelled many pages of fiction, hours of film, and even music about this form of criminal endeavour with stories of criminal plotting, horse and car chases, jealous lovers, double-crossing and often hilarious efforts of law enforcement that kept us entertained over the years.

 

Until recently, I was not sure that we would ever see that level of excitement being replicated on the silver screen based on the current digital form of bank heists. I mean, when banking trojans first started to appear in 2003 they were really dull. I can’t imagine many novels being written about a piece of code waiting for a customer to visit a bank’s web portal and then essentially pick-pocketing their account. Sure, trojans were a trend copied by cyber criminals all over the world, but the threats were relatively dumb and impact was relatively small. Hardly a thriller.

 

But maybe I’m wrong? The latest trends we’re witnessing do make the case for reasonable box office success.

 

In early 2016, there were a number of cases in the public domain that brought attention to the fact that there’s been a lot more going on here than first meets the eye.

 

In March 2016, the U.S. State Department made the unusual announcement that it had indicted seven hackers associated with the Iranian Government. The alleged crimes included attacking U.S. banks’ public websites from as far back as 2011 and all the defendants were working for two Iran-based computer security companies - ITSec Team and Mersad Co. - on behalf of the Iranian Revolutionary Guard Corps, a branch of the Iranian military.

 

Then June brought the news that Chinese state hackers were suspected of starting attacks on worldwide banking networks as early as 2006 and had begun uploading malware to the bank networks in 2013. China has been alleged to have a large network of hackers under the General Staff Department, Third Department, of its military, and they were accused of carrying out orders from the Chinese regime and of running operations..

 

Getting racy enough yet to intice you to buy the book? Maybe even visit the movie theatre? Well – we’re just getting started. A good script writer may even throw some sense of how the criminals are spending their gains into the drama of the movie, adding a bit of spice to the story to highlight the lifestyle and the ‘good times’ they are having on their victims behalf.

 

Well – that’s not hard to find in truth either. One Russian hacker, or ‘2pac’ to his cohorts, was arrested on his $1,470-a-night holiday in the Maldives by US authorities in July 2014. His laptop carried more than 1.7 million credit card numbers, which probably helped pay for his Dodge Challenger SRT, too.

 

No good crime movie is complete without the role of the shady syndicate boss pulling the strings from the top, and well yes – you guessed it, there’s been real-world evidence of that too – where the alleged leader of a global cybercrime syndicate offered his associates a Ferrari for the cyber criminal who came up with the best scam.

 

And as a plot twist, what about adding a rival criminal gang? I mean, surely these cyber criminals have so much opportunity that they don’t need to raid other gangs’ territories, right? Again, there has been evidence that in a digital sense, yes, they do – one criminal gang released the RSA private keys that allegedly corresponded to systems that had been infected with another gang’s ransomware application, to the public – rendering the opposing gang’s code useless. And if it is happening in the realm of ransomware, it could also happen in the equally-lucrative realm of bank cybercrime, I believe.

 

On top of all of this good source material, there is the blurry line between the ongoing activities of malware authors, cyber criminals and ‘State Sponsored’ malicious actors and it isn’t exactly clear who is doing what, on behalf of whom, and for what purpose. Computer code is borrowed, time zones can be changed, variable names and processes can be written in certain styles, fonts and languages – and all done in an effort to ‘hide’ who is ultimately behind the attacks.

 

As we have seen more recently in the news, there are even techniques that can be used to deliberately obfuscate and leave a footprint behind that identifies someone else other than the hackers as the culprit doing the hacking.

 

In August 2016, it appeared that a number of various different States were potentially in on the act as well, when a Pro-Pakistan hacking community was accused of carrying out some serious attacks on several Indian Government websites, and also defeated the web security systems of some banks and educational institutions.

 

Accusations and counter accusations continue, hacker groups in State X against infrastructure in State Y, leads to counter attacks by hacker groups in State Y defacing, exploiting and stealing from institutions in State X.  Are they acting out ambitions of the State? Who knows? In an era of ‘fake news’, nothing seems far-fetched.

 

So the scene is set for 2017 - more industrialised and targeted attacks against the banking infrastrucure which could become a much more common attack in 2017 for hacker groups, cyber criminals and nation states to fund their activities. Very Spy versus Spy.

 

One thing’s for sure, if there’s a movie in this, I’ll buy the popcorn.

 

If you enjoyed reading this blog and would like to read related security blogs please visit here

Top Kudoed Authors