ATM machines across Europe raided by hackers

Hackers have raided ATM machines across Europe using the technique “Jackpotting” that forces infected ATM machines to dispense cash. As per Russian cyber security firm Group IB, at least dozen countries across Europe have been affected by the new cyber attack. The hack has affected Diebold Nixdorf and NCR Corp, two of the world’s largest ATM makers. Most of the machines impacted by this attack belong to these two companies. As per these two ATM manufacturers, they are aware of the cyber attack and are already working with banks to mitigate the threat. This attack comes after the ATMs in Taiwan and Thailand were somewhat similarly raided this summer and ATMs across India were infected through a malware that stole debit card details of the Indian users.

What Happened?

Cyber criminals have remotely inserted malware into the ATM networks across Europe affecting machines atleast across 12 countries. The technical term for this kind of cyber attack is “Jackpotting” which means forcing cash out of an ATM machine by installing a malware on the machine’s computer. Previously, such attacks used to be carried out tactically by being physically present and installing malware on ATM machines. However, this attack involves remote installation of malware, that makes it unique in its own sense.

What countries are affected?

As per the Russian cyber security firm Group IB, atleast dozen countries have been affected by the cyber heist. They include Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, and Malaysia. The countries revealed by Group IB clearly show that the attack is widespread and includes few non-European countries as well.

Which banks are affected?

Well, in a conversation with Reuters, Group IB declined to name the banks that were jackpotted in this cyber-attack. However, since two of the world’s largest ATM manufacturers Diebold Nixdorf and NCR Corp has affirmed that attack has taken place and their machines have been affected, this should imply that many banks have been affected.

Is this the first time such an attack has happened?

Banks have always remained a favorite target by cyber criminals. Earlier in February, the hackers stole $81 million from Bangladesh’s central bank by attacking the SWIFT messaging service. This is not the first time an attack on ATM machine has taken place. However, the manner in which such attack was carried out is unique. Previously, the hackers used to physically visit the ATM, install the malware, force cash out of the machine and run away. However, in this case, the malware has been installed remotely. The “money mules” present at the target locations collected the cash as and when it was dispensed and run away. A similar attack in which malware was installed remotely was witnessed this summer in Taiwan and Thailand. The hackers stole $2.5 million from Taiwan’s First Bank and $350, 000 from Thailand’s Government Savings Bank. One interesting fact about this attack is that money mules traveled all way from Eastern Europe to Asia to steal the money.

What is the takeaway from this attack?

The cyber attacks on ATMs across Europe suggests that "status quo ante" doesn’t exist anymore. The hackers have taken the game altogether to a new level. They no longer seem to be running after the debit card and credit card details but directly want to target the money. The attack suggests a new model of organized crime is in the stage of development. The hacking of banks in Taiwan and Thailand involved the money mules travelling across the continent to steal the money. Tomorrow, hackers across the world can form a syndicate with local criminals. While, the former would install malware and dispense the cash, the latter would collect the money that would be then laundered and settled as per terms negotiated. Such a syndicate will have a multiplier effect on the organized crime and could revive and strengthen many of them. Also, remote installation of malware suggests that more ATM machines could be attacked at a single time unlike previous methods where the scale was small due to requirement of physical presence for installation of malware.

I am a customer of a bank which might be impacted by this attack. Do I need to fear?

Well, you need not fear because the money was not stolen from your account. The bank is liable to give you the exact money that you hold in your account. This attack was carried out by exploiting flaw in the software running the ATM machines and hence the banks must bear the brunt of the attack.

Who is behind the attack?

As per report released by the Group IB on Monday, the attacks across Europe have been conducted by a single criminal group that has been named Cobalt. The criminal group has been named after the tool Cobalt Strike used by them to move from infected computers in banks networks to specialized servers that control ATM machines. Further, the report links the Cobalt group to a well-known cybercrime gang Buhtrap which is believed to be behind the cyber heist of Russian banks from August 2015 to January 2016 in which $28 million was stolen.