A security vendor's investigation of a May 2018 cyberattack on an East European bank has revealed the astonishing speed and sophistication with which some advanced threat actors can expand their presence on a network after gaining initial access to it.

The attack began when two employees of the bank were tricked into opening a malicious document in a spear-phishing email from the Carbanak group—a cybercrime outfit believed to have stolen hundreds of millions of dollars from banks in over 40 countries.

The tainted document contained three exploits for remote code execution in Microsoft Word, which minutes later allowed the attackers to install a backdoor for deploying new payloads and for establishing persistence on the freshly compromised infrastructure.  

One of the payloads was Cobalt Strike Beacon, a Carbanak malware tool that among other things allowed the attackers to map the organization’s internal network so they could find admin-level credentials for moving across the infrastructure.

Not long after, they managed to obtain credentials for one Domain Administrator, which they then proceeded to use to access a domain controller server and at least two other endpoint devices on the compromised bank network.

"In under two hours the attackers managed to directly compromise a critical infrastructure component and get admin-level credentials, without tripping any alarms," says Liviu Arsene, global cybersecurity analyst at Bitdefender, the security vendor that was called in to investigate the breach.

Over the next two months, the attackers were able to use the credentials to quietly move about the network and to try and gain access to systems that would allow them to manipulate and withdraw funds from the bank's ATMs. The breach was discovered after a series of security alerts were eventually triggered by the credentials being used to access systems not normally associated with them.

"The main takeaway is that organizations, even highly regulated ones that operate in the financial industry, need to focus on reducing the time to detect a potential security breach," Arsene says. "It's vital that they detect and block these attacks during the reconnaissance phase, before attackers execute their final heist."

Bitdefender's investigation of the attack on the East European bank revealed extensive planning and patience on the Carbanak group's part.

In the first four weeks following the initial intrusion, the group systematically compromised numerous workstations in search of specific information that could help them breach the ATM network. One of the servers that the group compromised was later used to store documents pertaining to internal applications, system manuals, and other documents.

By Day 33, the group had gathered enough information to be able to connect to a host with access to banking applications. Over the next three weeks or so, members of the Carbanak group managed to break into at least seven other hosts with similar access to banking applications on the compromised network.

According to Bitdefender, the Carbanak group's movements on the breached network suggested a comprehensive understanding of the nature and location of the data they were looking for. At the same time the group also appeared focused on improving its understanding of the bank's internal systems in an effort to make its attack more efficient and stealthy, Bitdefender said in a report that summarizes the findings from its breach investigation.

The attackers showed experience in interacting with financial systems and appeared interested in constantly documenting and learning more about the inner workings of banking applications, potentially to maximize their efforts in future heists, Arsene says.

Keeping a Low Profile

Significantly, the attackers took considerable effort to maintain a low network footprint and to conceal their movement. For example, they used a single compromised workstation on the network to centralize and store all their collected information and for communicating with their command and control server, Bitdefender said. The group also made sure to carry out the bulk of their activities after normal business hours.

The reason their after-hours activity wasn't flagged as suspicious was that the authentication credentials had the necessary security clearance to perform this activity, Aresene says. The admin-level credentials were regularly used for remote access outside business hours, so there was little reason the activity would be flagged as suspicious.

"What these attackers did was keep a low footprint by remotely dialing in and out of select targets, sometimes days apart," Arsene notes. Command-and-control communication typically lasted between 20 minutes and one hour at most. Moving laterally across the infrastructure was a matter of using Remote Desktop Protocol with the stolen admin credentials.

"This way, any suspicious activity would have been regarded as normal activity since those credentials would normally belong to someone that had the security clearance to do that," Arsene says.

Related Content: