On July 9 and 10 of 2016, the ATM network of the First Commercial Bank in Taiwan was hit by a well-coordinated hack that took control of the system, forcing selected ATM machines to spew cash out to waiting bagmen. The criminals made off with over NT$83 million (US$2.5 million) in a single weekend, making this one of the biggest robberies ever in Taiwan.
“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” the head of the police’s Criminal Investigation Division, Lee Wen-chang, told the media.
As 2016 waned and investigators continued to pore over the available data, a report by international cybersecurity investigations firm Group-IB linked the hack and heist of First Bank to an international syndicate likely based in Russia or East Europe. The gang has been code-named “Cobalt” based on its use of a publicly available security testing tool, Cobalt Strike, to gain access to banks’ networks and thereby to its ATM machines.
The group has used this approach to pull off coordinated attacks enabling it to rob millions of US dollars beginning last June. Cobalt is linked to attacks on ATM networks mostly in Europe but also in Asia. Besides Taiwan, the other countries affected have included Britain, Estonia, Malaysia, the Netherlands, Poland, Russia, Spain, and Thailand.
The group that orchestrated the theft of over $2 million from cash machines at Taiwan’s First Commercial Bank in July was also behind an ATM hacking spree in more than a dozen European nations last year, according to cyber security firm Group-IB.
The methods that the so-called Cobalt group used in Europe matched those used in Taiwan, Group-IB said in its latest client report.
Wearing hats and antipollution masks, they loitered at the machine for a moment. Then, as the astonished couple in line behind them later told the police, the ATM started disgorging cash without either man touching it. The men shoved the bills into a satchel and brushed past them. As the Russians drove off in a black sedan, the couple spotted something on the ground: One of the guys had dropped his bank card.
By the time detectives traced Berezovsky and Berkman to the nearby Grand Hyatt the next day, the Russians had already jetted off to Moscow by way of Hong Kong. And they were just two of 15 “money mules” who’d hit 41 ATMs at 22 branches of First Commercial over that stormy weekend, the cops learned, taking 83 million New Taiwan dollars (NT$), or about $2.6 million. Hackers, investigators discovered, had forced the machines to spit out cash.
The Carbanak gang had struck again.
Before WannaCry, before the Sony Pictures hack, and before the breaches that opened up Equifax and Yahoo!, there was a nasty bit of malware known as Carbanak. Unlike those spectacular attacks, this malware wasn’t created by people interested in paralyzing institutions for ransom, publishing embarrassing emails, or taking personal data. The Carbanak guys just wanted loot, and lots of it.
Since late 2013, this band of cybercriminals has penetrated the digital inner sanctums of more than 100 banks in 40 nations, including Germany, Russia, Ukraine, and the U.S., and stolen about $1.2 billion, according to Europol, the European Union’s law enforcement agency. The string of thefts, collectively dubbed Carbanak—a mashup of a hacking program and the word “bank”—is believed to be the biggest digital bank heist ever. In a series of exclusive interviews with Bloomberg Businessweek, law enforcement officials and computer-crime experts provided revelations about their three-year pursuit of the gang and the mechanics of a caper that’s become the stuff of legend in the digital underworld.
Besides forcing ATMs to cough up money, the thieves inflated account balances and shuttled millions of dollars around the globe. Deploying the same espionage methods used by intelligence agencies, they appropriated the identities of network administrators and executives and plumbed files for sensitive information about security and account management practices. The gang operated through remotely accessed computers and hid their tracks in a sea of internet addresses. “Carbanak is the first time we saw such novel methods used to penetrate big financial institutions and their networks,” says James Chappell, co-founder and chief innovation officer of Digital Shadows Ltd., a London intelligence firm that works with the Bank of England and other lending institutions. “It’s the breadth of the attacks, that’s what’s truly different about this one.”
Three Eastern European men were arrested in Taiwan in July on suspicion of collecting cash stolen from ATMs owned by First Commercial Bank, a unit of First Financial Holding Co Ltd.
Attorneys for the three defendants in an ongoing trial in Taipei told Reuters their clients were not familiar with Cobalt.
The men – identified in court documents as Peregudovs Andrejs of Latvia, Colibaba Mihail of Romania and Pencov Nicolae of Moldova – were among a total of 22 individuals, all foreign nationals, that Taiwanese authorities suspect of taking part in the theft, where most of the money was subsequently recovered.
The suspects used malware dubbed “ATM spitter” in the First Commercial Bank attacks, as well as similar hacks in countries including Armenia, Belarus, Britain, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia and Spain, Group-IB said in a report to its customers that Reuters reviewed on Thursday.
Group-IB first detailed the European spree in a report published in November, identifying the hackers as the Cobalt group.
The firm linked Cobalt to the Taiwan heist in its report last week.
Investigators in Taiwan told Reuters they were not aware of any links between Cobalt and the hackers behind the First Commercial Bank heist.
“What we can say is the people behind this hacking were very good,” a Taiwanese investigator familiar with the case told Reuters, on condition of anonymity because the investigator was not authorized to speak with media.
The defendants, who maintain their innocence, said in a court hearing on Wednesday that they were not members of any international crime organization. Taipei prosecutors have said they suspect First Commercial Bank’s network was breached at a London branch office.
One of the suspected ringleaders of an ATM heist nearly two years ago has been arrested in Spain, the Criminal Investigation Bureau (CIB) said in a statement on Monday.
The investigation into the theft of more than NT$83 million (US$2.85 million at the current exchange rate) from state-run First Commercial Bank ATMs has lasted nearly 20 months and involved the joint efforts of Taiwanese authorities, the Spanish national police, the European Cybercrime Centre and private cybersecurity companies, the bureau said.
Identified only as Denys, the Russian is believed to be one of the leaders of a cybercrime syndicate called “Cobalt,” which is suspected of targeting banks, e-payment systems and financial institutions around the world using malware, known as Cobalt Strike, since 2016, the bureau said.
The group has allegedly infiltrated more than 100 financial institutions in 40 nations and stolen about 1 billion euros (US$1.2 billion).
A total of 22 suspects from six countries were involved in the high-profile theft in Taiwan from July 9 to July 11, 2016.
Nineteen of the suspects fled the nation and were placed on a wanted list.
Members of the international ring allegedly withdrew money from 51 First Commercial Bank ATMs in Taipei, New Taipei City and Taichung after using malware to hack into the bank’s computer system.
Authorities were alerted to the hack when members of the public in Taipei reported seeing two men collecting cash from an ATM in the middle of the night.
Police were able to track down and arrest three men — one who was allegedly indirectly involved in the heist and two who were allegedly in Taiwan to recover the money and transfer it out of the nation.
About NT$5.79 million of the stolen cash is still unaccounted for.