Episode Show Notes



JACK: Hey, what’s up?

DADE: Not much, just reading.

JACK: Cool. What are you reading?

DADE: I’m reading Exploding the Phone. It’s about phone phreaking, kind of the history of it.

JACK: Sounds interesting.

DADE: Yeah.

JACK: This is Dade. That’s not his real name; that’s just his online name. I met him at a BSides conference once and was just really impressed with his knowledge of security and hacking. So I’d chat him up sometimes and ask him questions on things that I’m researching. Hey, I’m calling ‘cause I want – I’m trying to think. Are there any old movies that have like a hacker getting into an ATM and dispensing cash?

DADE: Yeah, so there’s a couple. It’s kind of a trope in hacking movies, most prominently I think in Hackers. They’re all sitting around the table at Cyberdelia and Joey’s really trying to get all of his friends’ attention. He’s talking about how he hacked this bank.

JOEY: Right? Okay wait, okay, so it’s a bank. So this morning, look at the paper. Some cash machine in Bumsville, Idaho spits out $700 into the middle of the street.

CEREAL: That’s kind of cool.

JOEY: That was me. That was me. I did that.

DADE: Then Joey takes credit for it and he’s really bragging.

JACK: Wait, wait, hold on. How do you know this much about that one scene in Hackers?

DADE: I watched it a lot. I picked my hacker handle because of that movie. It’s what inspired me to get into computers in the first place.

JACK: Do you know every scene of Hackers?

DADE: I know almost every scene of Hackers. I can find myself quoting it unintentionally quite frequently.

JACK: That’s impressive. That’s really crazy. Alright, so what year was Hackers?

DADE: That was 1995. There was actually a couple of ATM hacks before that as well. In 1985 a movie called Prime Risk was basically all about finding out ways to rip off ATM machines.

TONI: Got over twenty frequency codes today.

LEE: What is that?

TONI: It’s a spectrum analyzer. It reads the electromagnetic environment and creates magnitude readings for the proper frequencies.

LEE: Oh. What are you doing with it in your car?

TONI: Well, it’s just an experiment for now but if we’re lucky we should be able to pick up oh, $200 from each account.

LEE: You know you can get into a lot of trouble fooling around with the banks.

TONI: Would you relax?

LEE: I’m relaxed. You’re talking about ripping people off.

TONI: Look, it’s a banking system. We aren’t stealing from people.

DADE: Then again in 1991 a young John Connor in Terminator 2 hooks up his little laptop into the card reader slot of an ATM.

JOHN: [BEEPS] Please insert your stolen card now.

DADE: He hits a couple buttons. Some Hollywood hacking appears on screen, you know, numbers flying down the screen, changing really fast.

JOHN: Go baby, go baby, go baby. Alright. Pin number…

DADE: Eventually he’s cracked the pin.

JOHN: Withdraw 3-0-0 bucks. Come on baby, come on, come on. Yes!

TIM: Hey, it worked.

JOHN: Easy money.

JACK: Huh. Alright. So if Hollywood is doing this in the 80s and 90s I think I’m gonna look into where we are with ATM hacking today and do an episode on that.

DADE: Yeah, that sounds great.

JACK: Alright, this information has been great. Thanks so much.

DADE: Yeah, no problem. Thanks for reaching out.

JACK: Alright, see you later.

DADE: Hack the planet.

JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: ATMs are an obvious target for criminals. It’s just a hunk of metal holding a bunch of cash. There can be anywhere from $3,000 all the way up to $250,000 in each ATM. Getting into one of these could be a big win for someone. At its core an ATM is just a computer, often a Windows computer with an input device like a touch screen or buttons. Then there’s the cassettes that hold the cash. The cassettes are the crown jewels of the ATM since they hold all the money. One tactic is to steal the cassettes. [MUSIC] Smash and grab is still a common ATM hacking technique. This is a simple as smashing a window of the store, running in, grabbing the whole ATM, drag it outside, throw it in your truck, and drive off. To defend against this shop owners and banks have securely fastened the ATM to the ground, often with huge bolts right into the concrete.

But criminals will still smash the window, throw a rope around the ATM, attach it to their truck and pull it out with the truck to knock it loose and then grab the whole ATM and drive off. But then there are ATMs built right into the walls of the bank where you can’t knock it over or pull it loose. What some criminals do here is they’ll run up to it, create a hole in the ATM [00:05:00] somehow like jamming a crowbar right into it or under it, and then they’ll load up that hole with explosives and blow up the ATM itself. Usually the cash box that holds the money is knocked loose from the explosion and a thief can run off with just that box of money. But all these techniques are messy and very destructive. There’s even one video of a guy driving a forklift right through a convenience store window, knocking over all the shelves, and making a ton of damage just to get the ATM loose and out of there.

It’s shocking and there’s just much more elegant ways of stealing money out of an ATM. A little over a decade ago, a story came out that said a master admin password was configured for many ATMs. Some thieves got ahold of this password and used it to access the ATM. However, the admin access didn’t let them dispense money so they couldn’t just steal the money. The hackers poked around at what they had access to. Inside the ATM are a number of cassettes with different denominations. Maybe there are three cassettes with $5 bills, $10 bills, and $20 bills. With admin access you could assign which cassette was which denomination. The hackers told the ATMs that all the cassettes have just $1 bills in them. When they went to withdraw $20, it gave them twenty $20 bills. Their balance only went down by twenty bucks but they actually got $400. These criminals did this a few times and got a whopping $1,540 from this attack. The admin password has since been fixed and that attack is no longer valid. Around 2009 a security researcher named Barnaby Jack was interested in seeing what kind of hacks he could do on ATMs. He bought a few and had them delivered to his house.

BARNABY: I remember when one of the ATM delivery guys came in. He wheeled the ATM into my place and he’s just like why on earth do you need an ATM in your house for?
[LAUGHTER] I was feeling a bit cheeky that day so I just looked at him and was like oh, I just don’t like the transaction fees, mate. [LAUGHTER]

JACK: This is Barnaby Jack speaking at Defcon 18, the largest hacker convention in the world. Once he got the ATMs into his house he took them apart and analyzed how they worked. [MUSIC] He started looking for vulnerabilities in the ATM he had. He found the ATM had two different keys; one key opens a door to the cassettes where the cash is but these were high-security keys and each ATM had a different key. But there was another key which opened up the cabinet. The cabinet holds the computer that controls the ATM. He found a serious problem with this key.

BARNABY: One key will open all the models from that same manufacturer, the cabinet.

JACK: Yeah, that’s right. One key opens the ATM up for all ATMs that that manufacturer makes. This only gave you access to the motherboard in the ATM, not the cash. But Barnaby Jack being a security researcher, he tried to figure out how he could attack the motherboard to dispense cash. Sure enough, he found a way. He was able to load a custom firmware onto a USB flash drive. Now that he has access to the motherboard he can plug that USB drive into the motherboard, reboot the ATM, and it would load his custom firmware. This firmware pretty much let him do anything.

BARNABY: I placed hooks at the card reader, the pin pad, and the parts of the handles the remote configuration commands. With those hooks we can add some fairly handy features, save the track data, capture the pin pads, and a few customer commands. The track data remotely saw remote jackpot and might as well.

JACK: With the USB drive plugged into the motherboard and new firmware installed, he closed up the lid and the ATM looked and operated just like normal except he had programmed a hidden menu to let him control it however he wanted. He could read and store any cards that were swiped on that machine and the pins that were entered. The most astonishing thing he could do was dispense all of the cash from all the cassettes which he called jackpotting. He demonstrated how he could do this live, right there on the stage at Defcon 18.

BARNABY: [BEEPING] Okay so it pops up my hidden menu there. It will let me dispense fifty notes from A, B, C, or D which are the four cassettes on the ATM. Let’s just try dump fifty bills from the first cassette. [MUSIC] [LAUGHING, APPLAUSE] JACK: This is unbelievable. I was there for that and I’m still blown away by how crazy this was to see this live on stage. It just blew my mind. But physical attacks on ATMs might seem a little too risky. I mean, you’ve gotta actually go there and lift the cover up to get into it. There may be cameras watching you, too. But ATMs are sometimes found in gas stations or bars and they’re often tucked away, sometimes hidden like by the bathrooms or cigarette machine. And we give people privacy when they’re using the ATMs so it’s entirely possible to do this in broad daylight and nobody would notice.

[MUSIC] But Barnaby wanted to take this a step further and see if he could figure out a way to gain remote access to an ATM over the network. He plugged in the ATMs to his home network and began trying to see what he could get into. Well, there was a remote login to the ATM but it had a username and password. But Barnaby found a [00:10:00] vulnerability in the software to let him bypass that authentication altogether, allowing him to get right into the ATM. From there he couldn’t do much other than check the system, see how much cash was there, and basic troubleshooting. No way to actually dispense cash, but Barnaby had already made a custom firmware that could give him extra access. He was able to connect all these exploits together which allowed him to…

BARNABY: Upload rootkit. That’s not a bad feature; bypasses authentication, initiates the software upload which lets me replace the firmware so, awesome.

JACK: Awesome it was. Barnaby could now remote-control an ATM with his own custom firmware that allowed him to do whatever he’d want such as dispensing cash out of an ATM on the other side of the world without even touching it. [MUSIC, LAUGHING] Again, unbelievable. The research that Barnaby Jack did with ATMs was just amazing. He didn’t stop there. He had a passion for finding vulnerabilities in embedded devices. There are electronic imbedded devices in so many products we interact with, devices like a washing machine, your thermostat, a refrigerator, dishwasher, your phone, video games, printers, and medical devices. After Barnaby demonstrated to the world how you can hack into ATMs live on stage at Defcon, he turned to researching the electronics within medical devices. He found that he could gain remote access to insulin pumps that were actually strapped onto people and worn about. On stage at the RSA convention in 2012 he demonstrated what he found.

BARNABY: From a hundred meters away I can scan for any insulin pumps in the vicinity. I will return those insulin pump IDs and then I can have them dispense their entire 300 units of insulin which for a Type 1 diabetic, will easily prove fatal. JACK: This guy really wasn’t messing around. I mean, first robbing banks, now killing people? The point he was trying to make is that medical device manufacturers really need to take security a lot more seriously than they already were.

BARNABY: I’m trying to go as public with this research as I can just to show how easily these pumps can actually be attacked and hopefully change the mind of the FDA and of Medtronic, and of the public that maybe a recall could be in order.

JACK: Barnaby then began looking to see if he could remote-control a pacemaker. This is a device used to keep your heart beating regularly. Sure enough, he figured out a way in. See, Barnaby was an amazingly good security researcher. He had a keen ability to find weaknesses and security holes in so many systems. When he found a way to remote-control a pacemaker implanted into a human, he took his findings on the road to a security conference in Melbourne, Australia. He demonstrated this hack live on stage to show how someone could send a lethal shock to a human through hacking a pacemaker. This news of this vulnerability, again, was a big deal.

Barnaby refined his demonstrations and was accepted to speak at Black Hat, the security conference in Las Vegas to demonstrate this medical device hacking live on stage. But he never did give that talk because he died a week before the conference. His girlfriend found him lying on the floor in their San Francisco apartment. [MUSIC] The coroner examined his body and ruled that the cause of death was an overdose of drugs. He was thirty-five years old. Barnaby had a lot of talent and potential and opened our eyes to a lot of things. Losing him was a tragedy and he will be missed immensely. Alright, so if you could start out by telling me your name and what do you do.

JORNT: My name is Jornt v.d. Wiel. I’m a security researcher within the Kaspersky Lab.

JACK: [BACKGROUND CONV.] Kaspersky Lab is based in Moscow, Russia and makes antivirus software amongst many other things. They need to keep their finger on the pulse of what the security threats are in the world so they can develop ways to detect and defend against these threats. Okay, so Jornt, what were you saying after Barnaby Jack demonstrated how to hack into ATMs?

JORNT: Yeah, so he introduced it and he showed that it was possible. What we saw after that was people started copying him, [MUSIC] especially in Russia and the surrounding countries.

JACK: Surely Barnaby Jack wasn’t the first person to have figured out how to hack an ATM. But he was the first to demonstrate it live on stage. After he did demonstrate it, banks and ATM vendors did improve the security of their machines but ATM hacking started gaining in popularity after the talk. There was an ATM hack in particular that Jornt will always remember.

JORNT: Yeah, it’s one of our colleagues. He got a call or an e-mail from somebody that he knew.

JACK: It was an e-mail. It was from an IT guy working at a bank in Ukraine.

JORNT: He told us that he had a problem and he didn’t really want to disclose what it was. He said that you guys just have to come.

JACK: Jornt and his team were like well, going to Kiev is far and it’s not easy to get to. Just tell us what the problem is. We’ve probably seen it before and we’ll just tell you how to fix it. But the bank was insistent on telling [00:15:00] them they must fly to Ukraine to see the problem themselves. Jornt and his team hopped on a plane and flew to Kiev to visit this bank. [MUSIC] They took him into a room which had all the surveillance footage for the bank.

JORNT: We went there and then they showed us video footage.

JACK: Okay, so the scene in the video is this; there’s a bank with ATMs. Okay, but it’s three a.m. so the bank is closed. The ATMs are in this little foyer lobby something of the bank.

JORNT: Like a portal, kind of.

JACK: Yeah, but the doors are locked so you have to swipe your debit card on the door in order to get into that portal to use the ATMs. But you can’t get into the rest of the bank. Jornt watches this video footage.

JORNT: In the video you see a guy walking towards the bank.

JACK: This guy is wearing a big black hoodie, he’s got a long scarf but he wraps it around his face so you can’t see what he looks like, and he’s holding a big black duffel bag. He opens up his jacket, takes out his debit card, and swipes it on the doors, which lets him into the lobby where the ATMs are.

JORNT: As soon as he got in the ATMs started to blink. He walked towards the first ATM and then this whole pack of money came out.

JACK: Literally the moment he enters the lobby the ATMs suddenly start spitting out all kinds of cash in all of the cassettes. He didn’t even touch a single button on the ATM.

JORNT: Then the money just kept on coming out so he just kept on filling his sports bag. Then he went to the next ATM and to the next one, and to the next one.

JACK: There were four ATMs in this lobby and all four of them are blinking wildly and they’re spewing out thousands of Hryvnia, the Ukrainian money. As fast as they’re popping out of the ATM, this guy is shoving them into his duffel bag. The operation seemed very precise and was done very quick.

JORNT: When all four ATMs were empty he left and without even touching the ATMs he was able to rob them.

JACK: The bank said there was around $250,000 in each of the ATMs he just stole from which meant he took about a million US dollars in just a few minutes, [MUSIC] somehow magically emptying all the ATMs without even touching them. This isn’t a hack; this is a superpower of some kind. Forget about the team at Kaspersky to solve this. You need Batman or someone on this one.

JORNT: Yeah but come on, it’s not something that is…

JACK: Hollywood movie magic? But seriously, no matter how weird a hack may seem there is always an explanation for it. Jornt and his team began trying to think of what this could be.

JORNT: First we thought that this was a modified version of another malware that we already knew about that was called Toucan.

JACK: Yeah, Toucan is pretty slick. It first requires hackers to remotely access the ATM over the network.

JORNT: For your information an ATM is just a computer running Windows so it’s possible to install malware on it.

JACK: Once a hacker gets into the ATM over the network they plant this Toucan malware on it.

JORNT: This malware, it was active between twelve o’clock and three o’clock in the night. When you entered a special code…

JACK: This is a special code you just put right on the pin pad of the ATM, then you get access to the Trojans menu. From here you can see how many cassettes there are and how many bills are in each one. Then there’s a little special code at the bottom of the screen which is called a challenge.

JORNT: Then you get the challenge. You send it to your boss and he calculates response. You enter the response.

JACK: Whoever is at the ATM sends this code back to the hacker and then they generate another code so that you enter it back into the ATM.

JORNT: Then you basically get into the god-mode menu because you can choose from which cassettes you want the money.

JACK: Then you literally get to say ‘give me the money from cassette one’ and money just comes right out. It’s a pretty slick attack and it works really well when set up correctly.

JORNT: Back at the time it was one of the first ATM malware versions that was there, you know? Now there are dozens, way more, but back then it was one of the first. Because of the modus operandi, you enter in the middle of the night. We thought that this was a modified version so we asked the bank for hard disks of the ATM so we could search for malware.

JACK: Jornt took these disks back to the lab and investigated them thoroughly.

JORNT: We couldn’t find anything.

JACK: [MUSIC] The trail went cold. Jornt was stumped. He had absolutely no clue how this attack happened. There was no sign of any malware or suspicious activity on the ATMs. How could this be? Months go by; no progress. Jornt just stopped investigating, thinking it was just some really weird anomaly. Maybe magic, who knows. But then out of nowhere…

JORNT: We got a call from one of an account manager.

JACK: But this wasn’t an ordinary call. The account manager was calling him at three a.m.

JORNT: It was in the middle of the night and the guy just said that we have to call this number. We were like man, it’s in the middle of the night. We’re sleeping.

JACK: Jornt was like can’t you just tell me what this is for? But the account manager was insistent that he just call this number. Jornt and a few of his colleagues [00:20:00] got out of bed, splashed some water on their face to wake up a little, and called the number.

JORNT: There was a guy that was completely, completely stressed out.

JACK: He was an IT person from a large bank in Russia. He was in a total panic.
Something big had happened to this bank and he needed help immediately.

JORNT: He just said get your ass over here. We’re like okay, but where is here?

JACK: The bank happened to be in the same town as one of Jornt’s colleagues so he got dressed at three a.m. and went down to the bank. On the way there they’re thinking things like oh, this bank must have been robbed for millions of dollars or something. Maybe it was those ATM robbers since this call was at three a.m. too. The colleague arrived.

JORNT: When he was there, like I said, the guy was completely, completely stressed out and because it turned out that their domain controller which is the most important server within the network, was actually sending data to China.

JACK: [MUSIC] While this isn’t exactly a bank robbery, it’s still quite a big problem. The domain controller is the heart of the network. It handles like, all the authentication, all the connectivity between Windows computers, and if you have admin access to the domain controller you probably can get admin access to pretty much any other Windows computer in the entire network including any money-processing systems. When the bank was saying their domain controller was sending data to China, this meant one thing.

JORNT: Yeah, the domain controller has been breached.

JACK: As in, hackers have gained access to the heart of this bank’s network.

JORNT: There is no reason for a domain controller to contact the server in the middle of the night in China.

JACK: Jornt’s teammate grabbed a chair and sat down at a terminal to look at the domain controller.

JORNT: When such a thing happened what you tried to do is you tried to find the malware.

JACK: They used a tool called Process Explorer to examine what’s running. They looked at system logs and examined the memory.

JORNT: It didn’t take a long time to find that process.

JACK: They found what program was sending the data to China and began analyzing it. They quickly…

JORNT: Made memory dumps and just do some strings on it to find readable characters.

JACK: While it’s not possible to see what’s inside this program or what it’s doing, sometimes running strings on it can get you a clue. A strings command will analyze the file to see if there’s any human readable data in the bytes of the program. This can sometimes reveal clues such as who wrote the program or what language it was written in, or other tiny clues like this. Jornt ran the strings command and found something.

JORNT: [MUSIC] There we saw that there was written VNC.

JACK: VNC is a way to remotely-control a computer as if you’re sitting right in front of that system.

JORNT: Think about the situation, you know; you’re at a large bank in the middle of the night in Russia. The domain controller is sending data to China and you see that there is a DLL loaded.

JACK: Which has an active Remote Desktop connection on it.

JORNT: Now, could it be that those guys that breached the server are watching what we were doing?

JACK: This is certainly a chilling moment. To think that not only are hackers in the bank, but they’re watching your every move on this computer? Jornt and his team wanted to find out if they were being watched so they came up with a plan.

JORNT: We opened up a Word document and we wrote ‘privyet’ which is Russian for ‘hello.’

JACK: Wait, why did you say hello in Russian?

JORNT: If you don’t know Russian when you’re attacking a Russian bank, things get complicated.

JACK: So they sit there with the Word document opened with ‘hello’ written in Russian on it and wait. If a hacker was in the system right now, they’d see this and they know that message is for them. A few minutes go by and the cursor starts to move. They start to type and they say ‘hello’ in Russian. Then they started writing more.

JORNT: ‘You will not catch us’ and then it was like okay, ‘We will catch you.’ ‘No, you will not catch us.’

JACK: This four a.m. chat goes back and forth for a while between the hackers and the investigators. Eventually that chat ended and Jornt’s team was able to find the malware on this computer and wipe it off the domain controller which disconnected the hacker from the network. Removing this malware wasn’t that hard, actually. So the next step was to figure out if any other computer in the whole network had it and remove it.

JORNT: We wrote a very simple script and it was ran on all the computers within the bank, and a little bit later the malware was removed. So far so good.

JACK: This incident gave Jornt and his teammates a lot of clues as to what was going on here and they were actually able to connect the dots back to those ATMs that got hacked in Ukraine. After the break we’ll hear how Jornt unravels the whole thing and figures it all out. Stay with us. Alright, so go on. What happens next?

JORNT: Eugene Kaspersky, the owner of the company, he was at the Interpol conference and he was telling this story. Then Europol heard about this and they thought oh, these guys might be coming to Europe. We have to inform our banks. Europol is headed in The Hague so one of my colleagues from Russia, [00:25:00] he flew over to The Hague to present about this case.

JACK: Kaspersky, security researcher, presented their findings to this Europol conference in The Hague, in The Netherlands. This started getting the case a lot more attention. First, a big bank heard this talk and started a panic saying ‘we have the same indicators of compromise on our servers’ but this turned out to be a false positive. But then the Dutch police became interested and they wanted to help.

JORNT: Around that time we also decided to work on this case together with the Dutch police because they wanted to do a case with us and they were interested.

JACK: [MUSIC] By this time a few other banks are now calling up Jornt and his team and having them investigate the similar issues.

JORNT: Yeah, we found a new command and control server and that one was located in The Netherlands.

JACK: The malware was being controlled remotely by a command and control server. This server was located in Holland. This was a lucky break because the Dutch police were already aware of this and wanted to help.

JORNT: It was relatively easy for the police to seize it.

JACK: Once the Dutch police seized the server they gave it to Jornt to analyze.

JORNT: They gave us the source code of the botnet panel. We analyzed it and we saw that they made a small implementation mistake and that meant that if we sent a very specific request to a web server, you’d get a very specific error.

JACK: Basically if you did an HTTP request to this command and control server with the /zero at the end, the server will return a very specific error. This meant Jornt could scan the entire internet quite quickly and easily, looking for every single command and control server being ran by this hacking team.

JORNT: We just scanned the whole internet. We just did that whole request on all the web servers on all the internet trying to see if one would come up with such unique error response. That way we were able to find other command and control servers.

JACK: Now things started moving a lot faster for Jornt. Him and his team have responded to a lot of banks with the same problem. They have a copy of the malware that was on the bank, and a copy of the command and control servers which was orchestrating the whole thing. At this point they decided to give this malware a name and they called it Carbanak.

JORNT: It comes from two things; it was based on malware called Carber and then there was a configuration file called Anunak. We kind of meshed those two words together so that’s why we named it Carbanak.

JACK: At this point Jornt and his team have completely unraveled how this entire hack works and it all starts with a random employee. In this case, an event coordinator or manager.

JORNT: They send a spare phishing e-mail to an employee at the bank, for example the event manager. At that time it was a Word document and that Word document contained an exploit for an already patched vulnerability right away. Now, as soon as the event manager opens up the Word document, the malware is downloaded and installed on their computer and the attackers have their first point of entry within the bank.

JACK: Here’s what went down. [MUSIC] An e-mail was sent to an event coordinator of a bank which said something like ‘We’re organizing a very important event and we think your company would be interested in coming. Please see the attached doc for details.’ Of course, the attached Word document contained a virus in it. The human seems to be the weakest link in the network still. Basically, inside this Word document was a set of instructions that the computer should execute. This Word doc was…

JORNT: Just downloading the Carbanak malware. That one actually contains the back door so the attackers could connect to that computer.

JACK: Now that the hackers had remote control of this person’s computer in the bank, the next goal would be to elevate their privileges and get access to the domain controller. The hackers first installed a key logger on this person’s computer to record every keystroke that person makes.

JORNT: The first thing they tried to do is tried to get the administrator passwords. One way to do that is install some software that makes the machine really slow. Then the person will call IT. IT will come, they will enter the administrator passwords, they will see the software that’s slowing down the PC. They remove the software and the guys have the administrator passwords because they installed a key logger.

JACK: I’m not gonna lie; I think this is a genius move. To put a key logger on a computer and then make the computer act badly just to get an admin to come log in and take a look, and when they do you steal their password? That’s amazing. Now that they have the admin password to one of the computers they’ll try to use that password on another server.

JORNT: You go to the domain controller of course, and the password is the same. You can log in. There you can find a computer that is of interest for you.

JACK: A computer of interest in a bank is a computer that controls the money transfers or controls the ATMs. But this hacking group was very tactical once they arrived on a computer that handled bank transfers. They also figured out which employees were the ones that were making manual money transfers on these systems so they’d infect those employees’ computers, too.

JORNT: The interesting thing about this gang is [00:30:00] malware-wise, they were not the most advanced or it was not APT. They didn’t use like, espionage. They didn’t use any zero-days, that kind of stuff. But they were really good at finding their way within the bank. They were really smart and clever and…

JACK: Give me some ideas what they were doing.

JORNT: One of them was to just install video recording software on the machine of one of the employees. [MUSIC] The video recording software was in really bad quality. It was in black and white and only the active screen was recorded. But by that way, and not much data was sent to the command and control servers so it wouldn’t see gigabytes going to one IP address. The good thing is they, just by watching how one guy was doing his day-to-day job, they learned how all the IT systems within the bank worked.

JACK: That is clever. By recording the user’s screen they could see exactly how to use that money transfer system. By using a key logger they could get the passwords on those banking servers, too.

JORNT: That’s the smart thing about them. They just found their way quite quickly to extract money from the bank.

JACK: Alright, so here’s the situation now. Russian hackers or someone fluent in Russian found their way into a Russian bank’s network, identified which employees have access to manually transfer money, and have all the logins to get into those money transfer servers, and they’ve been watching how people do it for days. They now have complete access to make any money transfer they want. Now it’s time to cash out.

JORNT: They had a couple of ways. One way was to enter data directly into the Swift system and transfer money overseas.

JACK: Swift is a network that many banks of the world use to transfer money between banks internationally. It has to be a very secure network because a bank can literally lose millions of dollars in an instant if a hacker were to make a illegal Swift transfer to another bank account.

JORNT: One other way was to control the ATMs remotely like we saw with the first case.

JACK: Basically these hackers found a way that the bank could remotely control the ATMs and it had a feature to dispense all the money. The hackers simply got into the ATM admin server, waited for the go-ahead from the guy at the bank, and then they just started dumping all the bills out. Oh, and then there was a third way that the hackers were transferring money.

JORNT: [MUSIC] It’s actually quite a funny story. They found the system to create accounts. They created all these accounts for their money mules.

JACK: All these methods actually required two people. First there was a hacker that needed to get into the computers and transfer all the money and stuff, but then there’s a money mule who’s simply a person who’s paid to go grab the money and send it back to the boss, but they get to keep a small cut of it. In this third method of stealing money they used a bunch of money mules. They hired a bunch of them and taught them how to go get the cash.

JORNT: Then they’re hiring all the mules. They created debit cards for all the mules.

JACK: The hackers created bank accounts for each one of these mules and gave them a debit card but the bank account had a very specific amount of money.

JORNT: Like $3.33 or something, a really, really crazy low amount that nobody would typically have.

JACK: Then once all the mules had accounts set up at this specific bank, the hacker would then go to work. Instead of looking up all the mules’ account numbers and changing their balances one by one, the hacker would just do a database update on the entire database, updating all accounts that had $3.33 in them.

JORNT: Updates the table, balance, ‘til one million dollars where balance is $3.33.

JACK: Suddenly all the mules had one million dollars in their account and they could go withdraw that cash. A lot of mules successfully did withdraw millions of dollars this way which resulted in banks losing a ton of money.

JORNT: The funny thing is because of that query, not just the mules had suddenly one million, but everybody who at that point in time happens to have the same amount of money was suddenly a millionaire.

JACK: That’s crazy. Now that Jornt and Kaspersky Labs have completely understood how this operation works, they wanted to disrupt the whole thing. They scanned the whole internet looking for those command and control servers and when they found them they gave it to the local police to take down. By taking down these servers it disrupted the whole operation. The criminals were persistent; after all, these hacks had already brought in millions of dollars. They just kept getting their command and control servers seized by the police. They changed their modus operandi, is that right? They changed their tactics. [MUSIC] Instead of using the Carbanak malware which had antivirus signatures that were already well-known, they started using off-the-shelf tools such as Metasploit and Cobalt Strike.

With this slight change of tactics they were able to fly under the radar once again and [00:35:00] strike at many more banks. Kaspersky claims this group successfully attacked thirteen times and stole twenty-five million US dollars. But Europol was also tracking this group and they had completely different numbers. Europol claims this group hacked into over a hundred banks and stole money, and they stole a whopping 1.2 billion US dollars. This obviously got the attention of a lot of police and while most bank robberies occurred in Ukraine and Russia it did start to branch out to various other countries like Spain and China. A major investigation was underway; not just Europol, though. The Spanish government was investigating. The Moldavian government, Romanian, Belarusian, the Taiwanese government, and even the FBI had cases on this group and were sharing information.

JORNT: What we saw is that a while ago and – I don’t know if I can remember exactly when. One of the suspected ring leaders got arrested in Spain. He was a Russian guy living in Spain, or a Ukrainian guy.

JACK: It was actually March, 2018. A guy named Denis K was arrested in Spain. He was from the Ukraine and he was working with three other Ukrainian and Russian nationals. Together they worked with the Moldavian mafia to hire the money mules and fly them to the banks to pick up the money. Once they had the money they would quickly switch it to Bitcoin where they could spend it anonymously. However, not everyone takes Bitcoin. When Denis K tried to buy something big like a car or a house he had to pay taxes on it and some bad accounting tipped off the police to follow the money, which led them to Denis and they arrested him. When they arrested Denis in Spain they found in his house computers, jewellery valued at over $600,000 US dollars, and two luxury vehicles.

They also found that Denis owned two houses that were worth over a million dollars each. The police thinks this gang had acquired over 15,000 Bitcoins which is about sixty million US dollars today. But even though this arrest occurred, the Carbanak malware continued to be used by hackers around the world. It may have been traded on a dark net or some hacker forum. Some chatter on a hacker forum seemed to suggest this arrest didn’t even slow down these attacks at all. Another prominent hacker group called Fin7 used this Carbanak malware to target American companies. That story actually doesn’t have any ATM hacking in it so we’ll skip it but it is amazing so I’ll have to cover it on another episode. But Carbanak will always be remembered by Jornt because…

JORNT: This was the first large attacks on banks and organized attacks on banks because first either criminal groups attacked consumers with banking malware, and later they started to attack banks, basically, with banking malware and robbing banks because it was more profitable and easier in the end. These attacks on banks, they are still happening.

JACK: What can banks do about this now?

JORNT: One of the obvious things is update your software. This group didn’t use any zero-days so if they just would have updated their Microsoft Office, this attack wouldn’t have taken place.

JACK: I looked this up. These hacks were going around in 2015 but the hackers used an exploit that Windows had fixed since 2012. Yeah, if the bank simply kept their Microsoft Word updated on all the employees’ computers, this would have gone nowhere. This is why I’m always telling you to update your software.

JORNT: Then if you have antivirus installed make sure that you also have one that looks at the behaviour of computers, of your system, because that one is also able to catch a known malware quite easily.

JACK: There really isn’t just one way to stay safe from this attack. You really need good all-around security hygiene practice for your users and your servers. It’s also good to have proper monitoring in place so that you can quickly detect when something like this is going on. Carbanak is just one way hackers have been getting into ATMs but there are many more ways they’re doing it today and it’s becoming more popular. Another way that ATMs are being hacked is if you can get access to the Ethernet cable that connects the ATM online, you can plug it into a fake processing center that you set up, tricking the ATM to just basically authorize any withdrawal. Oh, and some ATMs have a full QWERTY keyboard built into it. Some hackers found that you can hit shift five times quickly which gives you the Sticky Keys in Windows and then from there you can access the Windows OS. There’s other keyboard commands you could do to exit out of the ATM app since it really is just a Windows computer. There are a whole bunch of other methods used to defeat cash machines today. ATM hacking is going on all over the world and the manufacturers and banks really need to pay extra attention to these kinds of attacks because ATM hacking will continue until security improves.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes and links check out darknetdiaries.com. Big thanks goes to Jornt v.d Wiel for telling us this story. If this show brings you value and you enjoy it please consider supporting it through Patreon. This show is made by me, the cyberdelic [00:40:00] warlord, Jack Rhysider. Theme music is by the funkadelic Breakmaster Cylinder. Join us again in two weeks where I’ll bring you more true stories from the dark side of the internet. Peace.



Transcription performed by LeahTranscribes