Hackers Pull Off Massive Cyber Bank Heist, Stealing As Much As $1B
AUDIE CORNISH, HOST:
A gang of cyber criminals has pulled off a highly sophisticated bank heist, targeting more than a hundred banks in 30 countries and stealing as much as $1 billion. That's according to a report from Kaspersky Lab. The Moscow-based computer security firm discovered this attack after they were hired to investigate problems with an ATM in Ukraine. And before we go on, we should note that Kaspersky Lab is a corporate sponsor of NPR News programming.
Mike Riley covers cyber security for Bloomberg News and Businessweek. And he joins us now to talk about what is essentially a multinational, billion dollar bank robbery. Mike, welcome back to the program.
MIKE RILEY: Thanks very much.
CORNISH: First, tell us a little bit more about this cyber attack. How exactly did it work?
RILEY: So what we know from Kaspersky's report and some reporting from other security companies is that the hackers were able to get malware - malicious software - onto the bank systems. And from there they were able to penetrate critical systems like the ATM systems or the systems in which bank employees can transfer money. At that point, though, they didn't just go in and do a quick grab. They watched employees and how they worked over a period of months and watched - by watching I mean that they were basically inside their computers. So they were recording keystrokes. They took video, which is essentially sort of a moving version of a screenshot. They could see what the bank employees were doing in terms of certain applications, how they were accessing certain kinds of data. And by watching them, they could then mimic them later and do things as surprising as get ATMs to spit out money.
CORNISH: What's known about the cyber attackers?
RILEY: Based on Kaspersky's report and the limited amount that we know so far, they're a mix of nationalities - Russian, Chinese and some others. They are pretty sophisticated cyber criminals, which means they're just going where the money is. Other security firms - one that's based in Amsterdam called Fox-IT in particular - wrote about these same guys in December. Their view was that they had sort of gone after retailers in the U.S. and Europe. And it was really in Russia and Eastern Europe where they hit actually inside the banks, spent a lot of time and collected a lot of intelligence. But either way, they proved to be quite sophisticated if they can do the kinds of things and the reconnaissance that they did in this case.
CORNISH: What do we make of the fact that we have not really heard much from the banks or financial services, trade organizations? I mean, it's suspiciously silent out there.
RILEY: It is. And we can make a couple of things of it. One is that banks rarely want to admit when they get hacked, especially when something like this happens where hackers take over ATMs and get them to spit out money or manipulate account balances, right? That's the thing that banks want to be able to say - this doesn't happen. So it's not a surprise that they didn't raise their hand and say that this was happening beforehand.
In this case, I think there's also an added element to this is which - we don't know the names of the banks because Kaspersky isn't saying which banks were hit. The Fox-IT, the other IT company in Amsterdam, said they do not believe that major banks in the U.S. have been hit. I've also talked to other security experts that work for a lot of these banks, and they say it's like they haven't hit any of the top banks in the U.S. So if we're talking mostly Russian banks - mainly banks in Eastern Europe that have really suffered the biggest losses - there aren't any legal requirements at all under any circumstances for them to admit. So we may never actually find out which banks were hit.
CORNISH: Is this heist the way of the future? I mean, what does it mean for banks and these companies going forward where they're not necessarily attacking the consumer but the companies themselves?
RILEY: One of the things we've been seeing for a while is that hackers are getting increasingly sophisticated. But the banks try very hard to keep ahead of that. The level of sophistication of this hack - the ability to sort of watch systems and manipulate critical systems like ATMs - is a new level of sophistication. I can guarantee that other banks, even banks that weren't hit, are studying these guys very carefully - their techniques, how they got in, how they got past systems, how they managed to stay secret for so long. And they're trying to make sure it doesn't happen to them.
CORNISH: Mike Riley - he covers cyber security for Bloomberg News and Businessweek. Thank you so much for coming in.
RILEY: You bet. Thank you. Transcript provided by NPR, Copyright NPR.