Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

Carbanak Attack: Two Hours to Total Compromise

Investigation of the cybercrime group's attack on an East European bank shows how some attackers require very little time to broaden their access and establish persistence on a network.

A security vendor's investigation of a May 2018 cyberattack on an East European bank has revealed the astonishing speed and sophistication with which some advanced threat actors can expand their presence on a network after gaining initial access to it.

The attack began when two employees of the bank were tricked into opening a malicious document in a spear-phishing email from the Carbanak group—a cybercrime outfit believed to have stolen hundreds of millions of dollars from banks in over 40 countries.

The tainted document contained three exploits for remote code execution in Microsoft Word, which minutes later allowed the attackers to install a backdoor for deploying new payloads and for establishing persistence on the freshly compromised infrastructure.  

One of the payloads was Cobalt Strike Beacon, a Carbanak malware tool that among other things allowed the attackers to map the organization’s internal network so they could find admin-level credentials for moving across the infrastructure.

Not long after, they managed to obtain credentials for one Domain Administrator, which they then proceeded to use to access a domain controller server and at least two other endpoint devices on the compromised bank network.

"In under two hours the attackers managed to directly compromise a critical infrastructure component and get admin-level credentials, without tripping any alarms," says Liviu Arsene, global cybersecurity analyst at Bitdefender, the security vendor that was called in to investigate the breach.

Over the next two months, the attackers were able to use the credentials to quietly move about the network and to try and gain access to systems that would allow them to manipulate and withdraw funds from the bank's ATMs. The breach was discovered after a series of security alerts were eventually triggered by the credentials being used to access systems not normally associated with them.

"The main takeaway is that organizations, even highly regulated ones that operate in the financial industry, need to focus on reducing the time to detect a potential security breach," Arsene says. "It's vital that they detect and block these attacks during the reconnaissance phase, before attackers execute their final heist."

Bitdefender's investigation of the attack on the East European bank revealed extensive planning and patience on the Carbanak group's part.

In the first four weeks following the initial intrusion, the group systematically compromised numerous workstations in search of specific information that could help them breach the ATM network. One of the servers that the group compromised was later used to store documents pertaining to internal applications, system manuals, and other documents.

By Day 33, the group had gathered enough information to be able to connect to a host with access to banking applications. Over the next three weeks or so, members of the Carbanak group managed to break into at least seven other hosts with similar access to banking applications on the compromised network.

According to Bitdefender, the Carbanak group's movements on the breached network suggested a comprehensive understanding of the nature and location of the data they were looking for. At the same time the group also appeared focused on improving its understanding of the bank's internal systems in an effort to make its attack more efficient and stealthy, Bitdefender said in a report that summarizes the findings from its breach investigation.

The attackers showed experience in interacting with financial systems and appeared interested in constantly documenting and learning more about the inner workings of banking applications, potentially to maximize their efforts in future heists, Arsene says.

Keeping a Low Profile

Significantly, the attackers took considerable effort to maintain a low network footprint and to conceal their movement. For example, they used a single compromised workstation on the network to centralize and store all their collected information and for communicating with their command and control server, Bitdefender said. The group also made sure to carry out the bulk of their activities after normal business hours.

The reason their after-hours activity wasn't flagged as suspicious was that the authentication credentials had the necessary security clearance to perform this activity, Aresene says. The admin-level credentials were regularly used for remote access outside business hours, so there was little reason the activity would be flagged as suspicious.

"What these attackers did was keep a low footprint by remotely dialing in and out of select targets, sometimes days apart," Arsene notes. Command-and-control communication typically lasted between 20 minutes and one hour at most. Moving laterally across the infrastructure was a matter of using Remote Desktop Protocol with the stolen admin credentials.

"This way, any suspicious activity would have been regarded as normal activity since those credentials would normally belong to someone that had the security clearance to do that," Arsene says.

Related Content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/5/2019 | 9:20:06 AM
Two immed take-aways
There are many lessons here. The infection began with two users opening an infected email - user education would go miles towards improving these events which are all too common.  Second, base infection took 2 hours which is more or less human time once detected.  Initial infection took FAR shorter though so humans do not respond fast enough.  Here is where automated tools come in to effective use.  Third less obvious is that attackers did good recon work and kept a low low profile.  If you break into a home, do not do it at dinnertime.   Daytime with a moving van and uniforms (with nobody home) often works for spying neighbors.   Thieves always perform recon first to see defenses and patterns, such as lights on and off during vacations.  (They attacked ONLY during business hours).  All attack data flowed through one, 1, machine making that more suspect as a bad endpoint by itself instead of a gigantic door.  So there are a ton of good lessons in this tale but user education is tops.   "If you don't need it,don't read it, delete it." 
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.