Mar 10 2015

Is the Carbanak Threat to Banks Overhyped?

Two banking associations say U.S. banks haven't yet felt the threat posed by the covert malware.

A fraud campaign that covertly embeds malware within the network and extracts over $1 billion in assets undetected is a nightmare come to life for most financial services organizations. So when word of the Carbanak malware, the virus behind the so-called billion-dollar hack, made headlines around the world last month, many consumers, banks and credit unions feared the worst.

But two leading financial services groups say those fears are overblown — at least for U.S. financial services organizations.

According to a report from American Banker, leaders from the Financial Services-Information Sharing and Analysis Center and the American Bankers Association say no U.S. banks have been infiltrated by the attack.

“The Carbanak attacks are old news, something we've known about for months,” said William B. Nelson, president and chief executive officer of the FS-ISAC. “We [have] shared the threat indicators and briefed our members.”

Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, echoed Nelson’s statements. But he cautioned that just because no U.S. banks have been hurt by Carbanak so far doesn’t mean they should let their guard down.

“That doesn't mean our banks shouldn't be watchful as the threat continues, because as long as the criminals are successful and continue to advance, we need to be aware of that as a potential [liability],” Johnson told Banker. “But it appears to be fairly concentrated on Russian banks at this point.”

Further corroborating the ABA and the FS-ISAC’s claims is a joint statement from the FBI and U.S. Secret Service.

“The FBI and USSS (U.S. Secret Service) have received no reports that Carbanak malware has affected the U.S. financial sector,” the two agencies said in a statement published by Reuters. “But we continue to analyze investigative information as well as technical indicators released by private industry.”

Kaspersky Lab, the security vendor that alerted the world to Carbanak, is still confident that some U.S. banks may have been infected, since Kaspersky knows for certain that U.S. banks were targeted in the attack. Chris Doggett, managing director of Kaspersky Lab North America, told Banker that Carbanak targeted 36 U.S. banks.

“We compromised a significant number of command and control servers used in these attacks,” Doggett said. “The hackers had software for managing their attacks across banks, and we could see information about those banks and their systems. We saw a number of U.S. bank targets, and we know definitively that at least one major U.S. bank was used as part of the Carbanak operation.”

Because Carbanak is unusually evasive, Doggett argues that U.S. banks might be infected and not even know it. But for now, with multiple government agencies and financial organizations saying that Carbanak hasn’t shown up on their radar, the virus appears to be mostly a non-U.S. problem.

Bob Folscheid/iStock/ThinkStockPhotos