Kaspersky: Physical devices used to steal ‘tens of millions’ from Eastern Europe banks
Banks in Eastern Europe were targeted with cyberattacks that involved the planting of physical devices on premises, according to a report from Russian cybersecurity company Kaspersky Lab published Thursday.
Researchers say the attacks have resulted in “tens of millions of dollars” in damage at at least eight banks. “In some cases, it was the central office, in others a regional office, sometimes located in another country,” the report says.
Kaspersky says the attacks, dubbed “DarkVishnya,” were carried out in-person by a third party who planted devices that connect directly to the banks’ networks. The attackers used one of three tools, the researchers say: a laptop, a Raspberry Pi computer or a Bash Bunny — a USB drive-looking device specifically designed to deliver a malicious payload.
Sergey Golovanov, a security expert at Kaspersky, told CyberScoop in an email that the researchers realized that physical devices were being used because of a discrepancy between the number of authorized devices versus connected devices on the banks’ networks.
“Once we compared these numbers, it became clear they didn’t match. In some cases, we were basically tracking a malicious device by following the wires,” Golovanov explained.
Once on the network, the attackers remotely used the planted devices to probe for openly available data relating to making payments and login credentials, the report says. Galovanov said they were using “ATMs and other services that provide clients with funds.” The perpetrators reportedly then used remote desktop software to maintain their presence on the targets’ systems.
According to the report, the cyber-intruders used evasive tactics to hide their presence on the banks’ networks. The attackers apparently used PowerShell scripts — a way to run commands on system without using files that can trigger defensive software — and disguised their planted devices to look like and “unknown computer, an external flash drive, or even a keyboard” on the network.
Golovanov said the identity of the DarkVishnya attackers is not clear and that it’s up to “local security services” to figure that out.
“Judging from the fact that a physical device was, in each case, brought inside the building and connected to the bank equipment, we can suggest that it was one of the visitors to each financial institution,” Golovanov said. “As a cybersecurity provider, we concluded our job as we made sure that the institutions are protected and the threat is eliminated.”