Proofpoint has detected activity that indicates a set of targeted attack campaigns in progress, with evidence linking these campaigns to the Carbanak cybercrime group responsible for stealing $1 billion from banks in 2015. As their last heist was estimated to take 3-4 months from the time of initial infections, we may be seeing the early stages of another attempted heist as it occurs.
The Carbanak cybercrime group has been active since 2013, conducting APT-style campaigns targeting multiple organizations with a variety of malware. This group was mostly low-profile until they stole as much as one billion dollars from banks in 2015. Now, however, the group is back: Proofpoint researchers detected two targeted campaigns and infrastructure that may support others linked to the Carbanak group, this time aimed at banking targets in the United States, Middle East and elsewhere.
Estimates suggest that the 2015 attack required three to four months from initial infection to theft, which raises the question of whether this is the beginning of the next billion-dollar attack. Based on our research, it appears that we are observing the early stages of an attack employing new exploits, malicious document attachments, and RATs to target new groups outside their usual Russian domains.
Interestingly, in these most recent attacks the Carbanak group used malicious document attachments, URLs linking to documents with known Microsoft Office exploits, and sophisticated malware to go after targets in the U.S. and Middle East. The group also expanded its targeting from financial institutions to seemingly unrelated targets in fire, safety, and HVAC. As we learned from the Target breach, though, vendors and suppliers can give attackers a valuable point of entry into their heavily guarded banking industry targets.
To read a complete analysis of these early campaigns, download the full report "Carbanak Group Targets Executives of Financial Organizations in the Middle East".