A group of cybercriminals has breached and mapped the
global banking system, and in a series of attacks has so far stolen $81
million from the central bank of Bangladesh. Experts believe the attacks
were done through a vulnerability in the SWIFT banking system, which
connects more than 11,000 financial institutions around the world.
Investigations into the ongoing attacks are still underway, and related attacks on other banks are still being uncovered. Some experts are pinning the attack on hackers from North Korea, since the tools they used share similarities to the November 2014 hack of Sony Pictures Entertainment.
According to an insider with direct knowledge of the recent attacks, however, the culprit behind the digital bank robberies is much larger. The insider requested to remain anonymous due to security concerns, and was able to provide evidence to support his claims.
A
screenshot, provided to Epoch Times by an insider, shows the security
certificate of a Mexico-owned bank money transfer network in New Jersey
being exfiltrated. Hackers can use the certificate to send
communications through the company’s networks, which its recipients
would automatically validate.
A
screenshot, provided to Epoch Times by an insider, shows the security
certificate of a Mexico-owned bank money transfer network in New Jersey
being exfiltrated. Hackers can use the certificate to send
communications through the company’s networks, which its recipients
would automatically validate.
Chinese state hackers
identified the initial vulnerability, and used it to infiltrate and
infect the global financial system, according to the insider. When their
contract ended with the Chinese regime last year, they sold the
vulnerability to cybercrime groups on a private marketplace in the
darknet in an attempt to thwart detection, he said. The darknet is an
alternate internet that is only accessible using specialized software.
While the darknet has legitimate uses, criminal groups buy, sell, and
conspire on darknet forums.
The Chinese regime runs a large network of hackers under the General Staff Department, Third Department, of its military. These hackers carry out orders from the Chinese regime, and also often run additional operations or sell data on the side for personal financial gain. Epoch Times exposed this system in a previous investigative series.
The cybercrime groups who purchased the vulnerability are allegedly those carrying out the current attacks and illegal money transfers.
“The Chinese have already gained permanent access to the target financial networks and exfiltrated all the data they wanted for the contract for their sponsor,” the insider said. “Now they have this vulnerability, they can continue to monetize, so now they’re selling it to criminal networks.”
The insider said the Chinese hackers didn’t sell the vulnerability to any specific cybercrime group either. “They’ll sell one bank to one group,” he said, and noted most of the hackers carrying out the current attacks are comparatively low-skilled. “They’re not coders,” he said. “They just know how to release packages and deploy them.”
The insider was able to provide forensic data and screenshots that support the claims. The insider was also able to provide a list of targeted banks, which he noted is growing, and which includes a long list of banks and financial systems that are connected to a compromised banking partner network—including several in the United States, Latin America, and Asia.
The Chinese state hackers started their attacks on the bank networks as early as 2006, according to the insider, and began uploading malware to the bank networks in 2013.
While the breach of SWIFT has been made public, he said, the Chinese hackers also breached a money transfer network, which is run by a Mexico-owned bank based in New Jersey.
“Basically, Mexico’s critical infrastructure is owned by the same APT group,” he said, using APT (advanced persistent threat) to refer to the Chinese state hackers. “They’re in everything down there,” the insider said, referring to the level of access the Chinese state hackers have gained over critical networks in Mexico.
A post on a cybercrime darknet forum offers access to Mexican government networks, stating the entry is “ideal for cyberspy,” in this screenshot provided to Epoch Times by an insider.
A
post on a cybercrime darknet forum sells access to “all information” on
Mexico, noting it contains a new method to breach networks, and
includes “bigs company” in the financial sector, in this screenshot
provided to Epoch Times by an insider.
A
post on a cybercrime darknet forum sells access to a Mexican
telecommunications service that connects 32 states, in this screenshot
provided to Epoch Times by an insider.
A
post on a cybercrime darknet forum sells access to Mexico’s Federal
Commission of Electricity, in this screenshot provided to Epoch Times by
an insider.
It wasn’t until around June 2015 that the
Chinese state hackers sold the vulnerability to cybercrime
organizations, and these organizations immediately used it to begin
mapping, testing, and infecting banks and financial systems.
The insider said the hackers exploited a vulnerability in the code used to build web applications named Apache Struts v2. It was vulnerable as early as 2006 and was patched in 2013. He also noted that after gaining access, the hackers have since traversed numerous additional financial networks they’re targeting.
While the Chinese state hackers sold access to the bank networks, the insider noted the hackers had been mapping and infecting the global banking system over the last eight years.
When they decided to sell the vulnerability, they did not forfeit their access to the networks. By the time they sold it, the insider said, it had already served its purpose. In other words, the Chinese state hackers still have access to the networks—and not just to a few banks, but instead most of the global banking system.
The insider speculated that the Chinese state hackers are selling the original vulnerability both for profit, and to use the cybercriminal gang as a deliberate distraction from their higher-level breaches. He went on to state this could be the early stages of a global banking crisis.
Source: http://www.theepochtimes.com/n3/2085775-exclusive-chinese-state-hackers-started-cyber-bank-robberies/
Investigations into the ongoing attacks are still underway, and related attacks on other banks are still being uncovered. Some experts are pinning the attack on hackers from North Korea, since the tools they used share similarities to the November 2014 hack of Sony Pictures Entertainment.
According to an insider with direct knowledge of the recent attacks, however, the culprit behind the digital bank robberies is much larger. The insider requested to remain anonymous due to security concerns, and was able to provide evidence to support his claims.
The Chinese regime runs a large network of hackers under the General Staff Department, Third Department, of its military. These hackers carry out orders from the Chinese regime, and also often run additional operations or sell data on the side for personal financial gain. Epoch Times exposed this system in a previous investigative series.
The cybercrime groups who purchased the vulnerability are allegedly those carrying out the current attacks and illegal money transfers.
“The Chinese have already gained permanent access to the target financial networks and exfiltrated all the data they wanted for the contract for their sponsor,” the insider said. “Now they have this vulnerability, they can continue to monetize, so now they’re selling it to criminal networks.”
Process of the Breach
The code used in the vulnerability pulled from multiple places, which could also mean researchers just looking at the breach from the surface may draw false conclusions. He said some of the code was developed in-house by the Chinese hackers, but they also purchased some of the code from Russian universities.The insider said the Chinese hackers didn’t sell the vulnerability to any specific cybercrime group either. “They’ll sell one bank to one group,” he said, and noted most of the hackers carrying out the current attacks are comparatively low-skilled. “They’re not coders,” he said. “They just know how to release packages and deploy them.”
The insider was able to provide forensic data and screenshots that support the claims. The insider was also able to provide a list of targeted banks, which he noted is growing, and which includes a long list of banks and financial systems that are connected to a compromised banking partner network—including several in the United States, Latin America, and Asia.
The Chinese state hackers started their attacks on the bank networks as early as 2006, according to the insider, and began uploading malware to the bank networks in 2013.
While the breach of SWIFT has been made public, he said, the Chinese hackers also breached a money transfer network, which is run by a Mexico-owned bank based in New Jersey.
“Basically, Mexico’s critical infrastructure is owned by the same APT group,” he said, using APT (advanced persistent threat) to refer to the Chinese state hackers. “They’re in everything down there,” the insider said, referring to the level of access the Chinese state hackers have gained over critical networks in Mexico.
A post on a cybercrime darknet forum offers access to Mexican government networks, stating the entry is “ideal for cyberspy,” in this screenshot provided to Epoch Times by an insider.
The insider said the hackers exploited a vulnerability in the code used to build web applications named Apache Struts v2. It was vulnerable as early as 2006 and was patched in 2013. He also noted that after gaining access, the hackers have since traversed numerous additional financial networks they’re targeting.
While the Chinese state hackers sold access to the bank networks, the insider noted the hackers had been mapping and infecting the global banking system over the last eight years.
When they decided to sell the vulnerability, they did not forfeit their access to the networks. By the time they sold it, the insider said, it had already served its purpose. In other words, the Chinese state hackers still have access to the networks—and not just to a few banks, but instead most of the global banking system.
The insider speculated that the Chinese state hackers are selling the original vulnerability both for profit, and to use the cybercriminal gang as a deliberate distraction from their higher-level breaches. He went on to state this could be the early stages of a global banking crisis.
Source: http://www.theepochtimes.com/n3/2085775-exclusive-chinese-state-hackers-started-cyber-bank-robberies/