Sqrrl Blog

Aug 3, 2015 11:30:00 AM

Cyber Incident Matrix: ATM Hacks

Complexity Score: 5
Severity Score: 4
How did we get these numbers?

Incident Summary

  • What was breached: Nearly 100 Banking institutions in over 30 countries

  • Delivery: 2013 (possibly earlier) - February 2015

  • The Attackers:  Allegedly Russian Hackers  

Overview:

Using email attachments infected with malware sent to bank employees, hackers were able to passively collect information on banking systems across nearly 100 banks, eventually using that information to gain access to critical systems, undetected. The intruders were able to mimic staff behavior in order to learn more about system operations, then open accounts and transfer money.


Sqrrl_Cyber_Incident_Matrix_ATMs   OPM Breach IRS Breach Anthem Breach ATM hacks

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days

Used

Time

Undetected

Advanced  TTPs

Total

1

0

1

0

2

1

5

Hackers breached these bank systems with malware delivered via complex spearphishing back in 2013, and laid dormant for years, collecting information about the way that the individual bank’s security systems operated. Utilizing what they learned by breaching the bank systems, the attackers were able to exploit not only online banking systems, but also ATM machines. Using their access to the system operations, hacking rings sent “money mules” to walk by an ATM and remotely trigger the ATM to spew money, which was collected by the money mule and moved to an offsite location. The worst part? Hackers would have been unable to use the malware laced emails effectively, if these banks installed a simple Microsoft Security Update.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact

Total

4

0

0

0

4

The value of money stolen and account information linked to it totaled  nearly $1 billion USD across 100 banks. Each individual bank suffered losses ranging from between $2.5 million to upwards of $10 million USD. Using observations from their initial reconnaissance, hackers never withdrew more than $10 million from one individual bank to avoid triggering a manual audit of the system. In addition to money stolen directly, personal information of account holders was exfiltrated, which will likely double the cost of the attack.

  Cybersecurity Analytics  

Topics: Cybersecurity, Cyber Incident Matrix