Hackers stole millions from around 8 European banks in a slew of massive cyberattacks

• A series of attacks on European banks involving the use of attackers’ own devices, successfully allowed hackers to steal millions of dollars.
• The attackers planted devices like a laptop, Raspberry Pi and Bash Bunny inside the targeted banks’ premises, which provided them with remote access to the banks’ networks.

Usually, cybercriminals attack a system and inject their malicious code onto existing devices connected to a targeted network. Such attacks are expected by security investigators. However, a recent series of hacks, targeting at least eight banks in Eastern Europe, proved to be of a different kind.

The cyberattacks saw attackers physically connect their own devices to the targeted banks’ networks, researchers at Kaspersky Lab discovered. This spate of attacks has been dubbed DarkVishnya by the investigators.

Modus operandi

Kaspersky researchers found three types of devices used by the attackers. It is not yet known whether all of them were planted by a single group, or if there were multiple actors. The types of devices used included cheap laptops or netbooks, a Raspberry Pi and a Bash Bunny.

Except for the laptops, the other devices used had a very small footprint and only need a USB connection. This made it easier for the attackers to conceal the malicious devices inside office premises. The wide number of unused Ethernet sockets add to the security risk in office buildings.

“Even in companies where security issues are taken seriously, planting such a device is not impossible. Couriers, job seekers, and representatives of clients and partners are commonly allowed into offices, so malefactors can try to impersonate any of them,” Kaspersky security researchers wrote in a blog.

The investigators found a similar attack pattern across all the hacks. The attackers began by sneaking in malicious devices into bank offices by pretending to be an unsuspicious courier or a job seeker. Once they entered the premises, they found empty ports to connect their devices to the local network, ensuring that the device was hidden or seamlessly blended into the surroundings. After this, the rest of the attack was performed remotely by the attackers.

The next stage of the attack involved the hackers remotely connecting to the malicious devices injected into the bank’s network and collecting any vital information available on all the devices in the targeted network. This would later help the hackers perform attacks on specific servers handling payment processes, aiding their efforts to siphon off money from the bank. The last stage was to inject malicious services in the compromised network which would allow them to retain access to the network for a longer period of time.

The technical details of the attack were published is available here.

How to prevent such an attack?

The investigators provided several useful suggestions for improving the security of office buildings.

• Public areas in office premises should have restricted availability of the office networks.
• Any unused Ethernet sockets should be disconnected or isolated from the main office network. Ethernet sockets could also be placed so as to be in the frame of security cameras, which could deter malicious actors and even aid investigators in the event of an attack.
• The office network security could be tightened by using cybersecurity solutions that provide device control and anomaly monitoring features.

These Hollywood-style hacks should serve as a wakeup call to financial organizations about how cybercriminals are actively evolving their attacks to inflict maximum damage upon corporations. Banks and other private sector firms must become more aware of the threats lurking in the wild and arm themselves against advanced attacks.