Carbanak 2.0: the billion-dollar bank heist is back

Kaspersky reveals new threat to banks after last year's devastating Carbanak hack

Cybercriminals are targeting banks and businesses with a new version of a damaging attack that helped them steal $1 billion last year, according to Kaspersky.

Carbanak was first noticed last year. The targeted series of attacks saw hackers net as much as a billion dollars from banks around the world by infiltrating internal networks, and in some cases, directing ATMs to spit out cash.

Advertisement - Article continues below

Now its successor, Carbanak 2.0, is targeting the budgeting and accounting departments of companies beyond banks, and in one instance even changed a firm's ownership details, according to Kaspersky.

Speaking at the security vendor's Security Annual Summit in Tenerife today, researcher Sergey Golovanov said "the aim is to do the same" as last year, with criminals targeting millions of dollars from each attack.

So far, the attack has not been seen outside of Russia, but Golovanov noted that the last version of Carbanak was limited to Ukraine before hopping country to country and spreading around the world.

The company also revealed details on both the Metel cybercrime group and GCMAN, which use similar targeted tactics to rob financial institutions.

Heavy Metel

The Metel group targets specific individuals working at banks with spear-phishing emails using malicious attachments made with the Niteris exploit pack. Once on a computer inside the network, they use legitimate penetration testing tools to jump to other computers, aiming for a payment card processing machine inside the bank.

Advertisement - Article continues below
Advertisement - Article continues below

When they understand the bank's infrastructure, they can tunnel into that machine which is connected to the internet and see details such as card numbers, passwords, and balances, as well as being able to block or cancel transactions.

Criminals can use payment cards to withdraw cash from ATMs, while their colleagues ensure the victim's balance never decreases simply by clicking "cancel" when the transaction comes up on the processing computer.

Golovanov said that meant criminals had to sit there and click "lots of times", while their colleagues drive around Russian cities at night emptying cash machines.  

Kaspersky researchers said an investigation by themselves and law enforcement into the group is still underway. So far no attacks have been seen outside Russia, but Kaspersky warned banks to check for infections proactively, as the group's activities could expand.


The second group, GCMAN, sometimes need not even use malware, instead using legitimate penetration testing tools such as Putty and VNC to leverage flaws. Once inside a bank's network, they jump to internal computers by hijacking local domain controllers using the same legitimate penetration testing tools until they find the machine responsible for payment card processing.

Advertisement - Article continues below

Rather than send fellow criminals to bank machines to withdraw, GCMAN makes use of online payments, sending $200 the most allowed in Russia for anonymous payments every minute.

While Golovanov said that may not sound like a lot of cash, and while he could not disclose the sorts of financial damage already wreaked, he warned that it would add up quickly.

All of the attacks are against banks and businesses with firewalls, strong encryption and other security features, but once hackers were inside the company's internal infrastructure, "they were open", Golovanov said. 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



INKY announces $20M Series B funding round

4 Jun 2020

Microsoft issues warning about new PonyFinal ransomware attacks

3 Jun 2020
data breaches

Amtrak Guest Reward suffers a data breach

3 Jun 2020
cyber security

Brand-impersonation and form-based attacks are rising

3 Jun 2020

Most Popular


Apple confirms serious bugs in iOS 13.5

4 Jun 2020

The UK looks to Japan and South Korea for 5G equipment

4 Jun 2020

Tycoon ransomware discovered using Java image files to target software firms

5 Jun 2020