Recently, Europol issued the following press release.
“The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies.
Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.”
The announcement goes on to describe how the criminals operated.
“In all these attacks, a similar modus operandi was used. The criminals would send out to bank employees spear phishing emails with a malicious attachment impersonating legitimate companies. Once downloaded, the malicious software allowed the criminals to remotely control the victims’ infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs. This provided them with the knowledge they needed to cash out the money.”
The attack vector is of interest here.
With the help of malware embedded in an apparently legitimate email communication, attackers can take advantage of the user’s privilege level and execute malicious code. Once a foothold is gained in the organization, the attackers can identify and exploit further weaknesses.
As such attacks become ever more sophisticated, organizations such as banks or other critical infrastructure suppliers will need to discontinue sharing office automation and ‘’general internet’’ services with business or mission-critical systems. This has long been the practice in more security-sensitive environments.
The cost of duplicating infrastructure and policing the separation of systems used to be seen as prohibitive, and only for a few specific operations.
However, taking this latest announcement into account, alongside attacks on energy providers and the impact of the ‘’WannaCry’’ ransomware, it is likely that the trend for widely interconnected systems sharing common platforms and networks begins to reverse. It might be that the business-, mission-, or life-critical systems are better isolated and more effectively defended.