Location: United States, Russia, Taiwan, Australia
Date Breach First Reported: 6/1/2013
Type: Nonstate actor
In 2013, the source code for the Carbanak banking Trojan was leaked online. Since then, the malware has been used by several gangs to steal from dozens of financial institutions. The attack strategies have changed many times in order to avoid detection.
The malware is often pushed into financial companies by luring employees to click malicious documents, which provide the attackers a foothold to move across the network to remotely manipulate ATMs, known as “jackpotting,” or to compromise point-of-sale data. The gangs planned each theft carefully, taking between two and four months to complete each intrusion, ultimately using mules to withdraw the funds from ATMs and transfer them to the criminals’ accounts.
Fin7, the most prolific group using Carbanak, has stolen more than €1 billion from banks in more than thirty countries over the past three years, according to Europol. As well as using Carbanak, the gang is understood to use widely available tools such as the Cobalt Strike framework. The group recruited developers to work for an Israeli-Russian front company named Combi Security, and it is not clear whether the employees knew the nature of the work.
The authorities arrested a man thought to be the gang’s ringleader in Spain in March 2018, while in August the U.S. Department of Justice arrested three Ukrainian suspects. The United States claims the group stole the details of 15 million payment cards by attacking more than 120 U.S. companies, including the Chipotle and Arby’s restaurant chains.
Another Trojan, which is named Odinaff and bears a resemblance to Carbanak, was spotted attacking banking, trading, and payroll companies in 2016. It is unclear whether this is the work of Fin7 or another gang. While Fin7 appears to have gone quiet, it is unclear whether this is because activity stopped following the arrests or its techniques have changed again.