Nov 21 Cyber criminals have remotely attacked
cash machines in more than a dozen countries across Europe this
year using malicious software that forces machines to spit out
cash, according to Russian cyber security firm Group IB.
Diebold Nixdorf and NCR Corp, two of the world's biggest ATM
makers, said they were aware of the attacks and have been
working with customers to mitigate the threat. The newly
disclosed heists across Europe follow hacks of ATMs in Taiwan
and Thailand, which were widely reported over the summer.
Group IB declined to name banks that were "jackpotted," a
term used to describe forcing ATMs to spit out cash, but said
the victims were located in Armenia, Belarus, Bulgaria, Estonia,
Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania,
Russia, Spain, the United Kingdom and Malaysia.
Dmitry Volkov, head of threat intelligence with Group IB,
told Reuters that he expects more heists on ATMs.
Hackers have moved from stealing payment card numbers and
online banking credentials to more lucrative hacks on bank
networks, giving them access not only to ATM machines, but also
to electronic payment networks.
A February attack on servers at Bangladesh's central bank
that controlled access to the SWIFT messaging system yielded
more than $81 million in one of the biggest digital heists on
record. Russian banks lost over $28 million in a series of
wire-fraud cases that were identified earlier this year.
"What we are seeing demonstrated is the new model of
organized crime," said Shane Shook, an independent security
consultant who helps banks and governments investigate cyber
attacks and reviewed Group IB's findings.
ATMS INFECTED REMOTELY
"We have been working actively with customers, including
those who have been impacted, as well as developing proactive
security solutions and strategies to help prevent and minimize
the impact of these attacks," said Owen Wild, NCR's global
marketing director for enterprise fraud and security.
Disclosure of the campaign follows two ATM hacks in July:
$2.5 million was stolen from Taiwan's First Bank and $350,000
from Thailand's state-run Government Savings Bank.
Hackers remotely infected ATMs at both banks, forcing them
to spit out cash that was collected by teams of "money mules,"
who authorities say traveled to Asia from Eastern Europe.
The U.S. Federal Bureau of Investigation earlier this month
sent a private alert to American banks, warning them to be on
the lookout for attacks on ATMs following the heists in Taiwan
and Thailand, the Wall Street Journal reported on Monday.
An FBI spokesman declined to comment on the attacks in
Group IB said it believed the attacks across Europe were
conducted by a single criminal group, which it dubbed Cobalt.
It named them after a security-testing tool known as Cobalt
Strike, which the perpetrators used in the heists to help them
move from computers in the bank network that were infected with
tainted emails to specialized servers that control ATMs.
'SMASH AND GRAB' APPROACH
Cyber criminals have been attacking cash machines for at
least five years, though early cases were limited to small
numbers of ATMs.
Hackers have traditionally required physical access to cash
machines, making it tougher to steal large sums, said Shook, the
independent security consultant. They are now using methods like
the Cobalt gang, enabling them to attack larger numbers of
machines in "smash and grab" operations, he said.
Group IB believes that Cobalt is linked to a well-known
cyber crime gang dubbed Buhtrap, which stole 1.8 billion rubles
($28 million) from Russian banks from August 2015 to January
2016, because the two groups use similar tools and techniques.
Buhtrap stole money through fraudulent wire transfers, not
The ATM Security Association declined to comment on Group
Members of the group, which works to improve ATM security,
include ATM maker Diebold Nixdorf as well as banks ABN
Amro, Bank of America Corp, Royal Bank of
Scotland Group and Wells Fargo & Co..
Representatives with Europol, which coordinates
investigations of cyber crimes across Europe, had no immediate
(Reporting by Jim Finkle in Boston; Additional reporting by
Anthony Deutsch in The Hague; Editing by Jonathan Weber and Dan