# Carbanak

**en.wikipedia.org/wiki/Carbanak**

Contributors to Wikimedia projects

**Carbanak is an** [APT-style campaign targeting (but not limited to) financial institutions,[1]](https://en.wikipedia.org/wiki/Advanced_Persistent_Threat) that
was discovered in 2014[2] by the Russian [cyber security company Kaspersky Lab.[3]](https://en.wikipedia.org/wiki/Cyber_security) It utilizes
[malware that is introduces into systems running Microsoft Windows[4]](https://en.wikipedia.org/wiki/Malware) [using phishing emails,](https://en.wikipedia.org/wiki/Phishing)

[3][5] which is then used to steal money from banks. The [hacker group is said to have stolen](https://en.wikipedia.org/wiki/Hacker)

over 900 million dollars, from the banks as well as from over a thousand private customers.


The criminals were able to manipulate their access to the respective banking networks in
[order to steal the money in a variety of ways. In some instances, ATMs were instructed to](https://en.wikipedia.org/wiki/Automated_teller_machine)
[dispense cash without having to locally interact with the terminal. Money mules would collect](https://en.wikipedia.org/wiki/Money_mule)
[the money and transfer it over the SWIFT network to the criminals’ accounts, Kaspersky](https://en.wikipedia.org/wiki/Society_for_Worldwide_Interbank_Financial_Telecommunication)
[said. The Carbanak group went so far as to alter databases and pump up balances on](https://en.wikipedia.org/wiki/Database)
existing accounts and pocketing the difference unbeknownst to the user whose original
balance is still intact.[6]

Their intended targets were primarily in Russia, followed by the United States, Germany,
China and Ukraine, according to Kaspersky Lab. One bank lost $7.3 million when its ATMs
[were programmed to spew cash at certain times that henchmen would then collect, while a](https://en.wikipedia.org/wiki/Henchmen)
separate firm had $10 million taken via its online platform.

Kaspersky Lab is helping to assist in investigations and countermeasures that disrupt
[malware operations and cybercriminal activity. During the investigations they provide](https://en.wikipedia.org/wiki/Malware)
technical expertise such as analyzing infection vectors, malicious programs, supported
command and control infrastructure and exploitation methods.[7]


[FireEye published research tracking further activities, referring to the group as FIN7,](https://en.wikipedia.org/wiki/FireEye)
[including an SEC-themed spear phishing campaign.[8]](https://en.wikipedia.org/wiki/Spear_phishing) [Proofpoint also published research](https://en.wikipedia.org/wiki/Proofpoint,_Inc.)
[linking the group to the Bateleur backdoor, and expanded the list of targets to U.S.-based](https://en.wikipedia.org/wiki/Backdoor_(computing))
chain restaurants, hospitality organizations, retailers, merchant services, suppliers and
others beyond their initial financial services focus.[9]

[On 26 October 2020, PRODAFT (Switzerland) started publishing internal details of the](https://en.wikipedia.org/wiki/PRODAFT)
Fin7/Carbanak group and tools they use during their operation.[10] Published information is
claimed to be originated from a single OPSEC failure on the threat actor’s side.[11]


[On March 26, 2018, Europol claimed to have arrested the "mastermind" of the Carbanak and](https://en.wikipedia.org/wiki/Europol)
[associated Cobalt or Cobalt Strike group in Alicante, Spain, in an investigation led by the](https://en.wikipedia.org/wiki/Alicante)
Spanish National Police with the cooperation of law enforcement in multiple countries as well


-----

[as private cybersecurity companies. The group s campaigns appear to have continued,](https://en.wikipedia.org/wiki/Cybersecurity)
however, with the [Hudson's Bay Company breach using point of sale malware in 2018 being](https://en.wikipedia.org/wiki/Hudson%27s_Bay_Company)
attributed to the group.[12]

## Controversy

Some controversy exists around the Carbanak attacks, as they were seemingly described
[several months earlier in a report by the Internet security companies Group-IB (Russia) and](https://en.wikipedia.org/w/index.php?title=Group-IB&action=edit&redlink=1)
[Fox-IT (The Netherlands) that dubbed the attack Anunak.[13]](https://en.wikipedia.org/w/index.php?title=Group-IB&action=edit&redlink=1) The Anunak report shows also
a greatly reduced amount of financial losses and according to a statement issued by Fox-IT
[after the release of The New York Times article, the compromise of banks outside Russia did](https://en.wikipedia.org/wiki/The_New_York_Times)
not match their research.[14] Also in an interview conducted by Russian newspaper
_[Kommersant the controversy between the claims of Kaspersky Lab and Group-IB come to](https://en.wikipedia.org/wiki/Kommersant)_
light where Group-IB claims no banks outside of Russia and Ukraine were hit, and the
[activity outside of that region was focused on Point of Sale systems.[15]](https://en.wikipedia.org/wiki/Point_of_Sale)


[Reuters issued a statement referencing a Private Industry Notification issued by the FBI and](https://en.wikipedia.org/wiki/Reuters)
[USSS (United States Secret Service) claiming they have not received any reports that](https://en.wikipedia.org/wiki/United_States_Secret_Service)
Carbanak has affected the financial sector.[16] Two representative groups of the US banking
[industry FS-ISAC and ABA (American Bankers Association) in an interview with Bank](https://en.wikipedia.org/wiki/Financial_Services_Information_Sharing_and_Analysis_Center)
_Technology News say no US banks have been affected.[17]_

## References

1. ^ _Kaspersky Labs' Global Research & Analysis Team (GReAT) (February 16, 2015)._

_["The Great Bank Robbery: the Carbanak APT". Securelist. Archived from the original](https://web.archive.org/web/20150217133401/https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/)_
_on February 17, 2015._
2. ^ _["Carbanak_APT Analysis" (PDF). Kaspersky. Archived from](https://web.archive.org/web/20170319112435/https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf)_ _[the original (PDF) on 19](https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf)_


_March 2017. Retrieved 12 June 2017._
3. ^ a b _David E. Sanger and Nicole Perlroth (14 February 2015). "Bank Hackers Steal_

_Millions via Malware". The New York Times._
4. ^ _Fingas, Jon (February 14, 2015). "Subtle malware lets hackers swipe over $300_

_[million from banks". engadget. Archived from the original on February 15, 2015.](https://www.engadget.com/2015/02/14/carbanak-malware-attacks-banks/)_
5. ^ _["Carbanak Ring Steals $1 Billion from Banks". Threatpost. 15 February 2015.](https://threatpost.com/carbanak-ring-steals-1-billion-from-banks/111054/)_
6. ^ _["The Great Bank Robbery: the Carbanak APT". Securelist. 16 February 2015.](https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/)_
7. ^ _["FIN7 Evolution and the Phishing LNK". FireEye.](https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html)_
8. ^ _["FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor | Proofpoint US".](https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor)_

_www.proofpoint.com. July 31, 2017._
9. ^ _["OpBlueRaven: Unveiling Fin7/Carbanak - Part I : Tirion". Prodaft.com.](https://www.prodaft.com/blog/detail/opblueraven-unveiling-fin7carbanak-part-i-tirion)_
10. ^

11. ^ _Newman, Lily Hay._ _"THE BILLION-DOLLAR HACKING GROUP BEHIND A STRING_

_OF BIG BREACHES". Wired._


-----

12. _[Anunak APT against Financial institutions (PDF). Fox-IT. 22 December 2014.](https://web.archive.org/web/20150322135551/https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf)_

_[Archived from the original (PDF) on 22 March 2015. Retrieved 4 March 2015.](https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf)_
13. ^ _["Anunak aka Carbanak update". Fox-IT. 16 February 2015.](https://www.fox-it.com/en/press-releases/anunak-aka-carbanak-update/)_
14. ^ _["Group-IB and Kaspersky have conflicting views". Kommersant. 23 February 2015.](http://kommersant.ru/doc/2664735)_
15. ^ _["FBI, Secret service, no signs of Carbanak". Reuters. 18 February 2015. Archived](https://www.reuters.com/article/cybersecurity-banks-idUSL1N0VS2B820150218)_

_from the original on 24 September 2015. Retrieved 30 June 2017._
16. ^ _["Carbanak overhyped, no US banks hit". BankTechnologyNews. 19 February 2015.](http://www.americanbanker.com/news/bank-technology/carbanak-cybersecurity-threat-is-overhyped-banking-groups-say-1072809-1.html)_

**Hacking in the**
**2010s**

[Timeline](https://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history#2010s)

**Major incidents**

[Operation Aurora](https://en.wikipedia.org/wiki/Operation_Aurora)
[Australian cyberattacks](https://en.wikipedia.org/wiki/February_2010_Australian_cyberattacks)
[Operation ShadowNet](https://en.wikipedia.org/wiki/Shadow_Network)
[Operation Payback](https://en.wikipedia.org/wiki/Operation_Payback)

**2010**

[DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)
[DNSChanger](https://en.wikipedia.org/wiki/DNSChanger)
[HBGary Federal](https://en.wikipedia.org/wiki/HBGary)
[Operation AntiSec](https://en.wikipedia.org/wiki/Operation_AntiSec)
[Operation Tunisia](https://en.wikipedia.org/wiki/Operation_Tunisia)
[PlayStation](https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage)
[RSA SecurID compromise](https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise)

**2011**

[LinkedIn hack](https://en.wikipedia.org/wiki/2012_LinkedIn_hack)
[Stratfor email leak](https://en.wikipedia.org/wiki/2012%E2%80%9313_Stratfor_email_leak)
[Operation High Roller](https://en.wikipedia.org/wiki/Operation_High_Roller)

**2012**

[South Korea cyberattack](https://en.wikipedia.org/wiki/2013_South_Korea_cyberattack)
[Snapchat hack](https://en.wikipedia.org/wiki/Snapchat#December_2013_hack)
[Cyberterrorism Attack of June 25](https://en.wikipedia.org/wiki/June_25_cyber_terror)
[2013 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#August_2013_breach)
[Singapore cyberattacks](https://en.wikipedia.org/wiki/2013_Singapore_cyberattacks)

**2013**


-----

**2014**

**2015**

**2016**

**2017**

**2018**

**2019**


[Anthem medical data breach](https://en.wikipedia.org/wiki/Anthem_medical_data_breach)
[Operation Tovar](https://en.wikipedia.org/wiki/Operation_Tovar)
[2014 celebrity nude photo leak](https://en.wikipedia.org/wiki/2014_celebrity_nude_photo_leak)
[2014 JPMorgan Chase data breach](https://en.wikipedia.org/wiki/2014_JPMorgan_Chase_data_breach)
[Sony Pictures hack](https://en.wikipedia.org/wiki/Sony_Pictures_hack)
[Russian hacker password theft](https://en.wikipedia.org/wiki/2014_Russian_hacker_password_theft)
[2014 Yahoo! data breach](https://en.wikipedia.org/wiki/Yahoo!_data_breaches#Late_2014_breach)

[Office of Personnel Management data breach](https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach)
[Hacking Team](https://en.wikipedia.org/wiki/Hacking_Team#2015_data_breach)
[Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach)
[VTech data breach](https://en.wikipedia.org/wiki/VTech#2015_data_breach)
[Ukrainian Power Grid Cyberattack](https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack)
[SWIFT banking hack](https://en.wikipedia.org/wiki/2015%E2%80%932016_SWIFT_banking_hack)

[Bangladesh Bank robbery](https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery)
Hollywood Presbyterian Medical Center ransomware
incident
[Commission on Elections data breach](https://en.wikipedia.org/wiki/Commission_on_Elections_data_breach)
[Democratic National Committee cyber attacks](https://en.wikipedia.org/wiki/Democratic_National_Committee_cyber_attacks)
[Vietnam Airport Hacks](https://en.wikipedia.org/wiki/Vietnamese_airports_hackings)
[DCCC cyber attacks](https://en.wikipedia.org/wiki/Democratic_Congressional_Campaign_Committee_cyber_attacks)
[Indian Bank data breaches](https://en.wikipedia.org/wiki/2016_Indian_Banks_data_breach)
[Surkov leaks](https://en.wikipedia.org/wiki/Surkov_leaks)
[Dyn cyberattack](https://en.wikipedia.org/wiki/2016_Dyn_cyberattack)
[Russian interference in the 2016 U.S. elections](https://en.wikipedia.org/wiki/Russian_interference_in_the_2016_United_States_elections)
[2016 Bitfinex hack](https://en.wikipedia.org/wiki/2016_Bitfinex_hack)

[2017 Macron e-mail leaks](https://en.wikipedia.org/wiki/2017_Macron_e-mail_leaks)
[WannaCry ransomware attack](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[Westminster data breach](https://en.wikipedia.org/wiki/2017_Westminster_data_breach)
[Petya cyberattack](https://en.wikipedia.org/wiki/Petya_(malware))

[2017 cyberattacks on Ukraine](https://en.wikipedia.org/wiki/2017_cyberattacks_on_Ukraine)
[Equifax data breach](https://en.wikipedia.org/wiki/2017_Equifax_data_breach)
[Deloitte breach](https://en.wikipedia.org/wiki/Deloitte#E-mail_hack)
[Disqus breach](https://en.wikipedia.org/wiki/Disqus#October_2017_security_breach)

[Trustico](https://en.wikipedia.org/wiki/Trustico#DigiCert_and_Trustico_spat,_2018)
[Atlanta cyberattack](https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack)
[SingHealth data breach](https://en.wikipedia.org/wiki/2018_SingHealth_data_breach)

[Sri Lanka cyberattack](https://en.wikipedia.org/wiki/2019_cyberattacks_on_Sri_Lanka)
[Baltimore ransomware attack](https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack)
[Bulgarian revenue agency hack](https://en.wikipedia.org/wiki/2019_Bulgarian_revenue_agency_hack)
[Jeff Bezos phone hacking](https://en.wikipedia.org/wiki/Jeff_Bezos_phone_hacking)


-----

**[Hacktivism](https://en.wikipedia.org/wiki/Hacktivism)**

**Advanced**
**persistent threats**

**[Individuals](https://en.wikipedia.org/wiki/Hacker)**

**Major**
**[vulnerabilities](https://en.wikipedia.org/wiki/Vulnerability_(computing))**
**publicly** **[disclosed](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security))**

**[Malware](https://en.wikipedia.org/wiki/Malware)**


**2010**

**2011**

**2012**

**2013**

**2014**

**2015**


[Bad Rabbit](https://en.wikipedia.org/wiki/Ransomware#Bad_Rabbit)
[SpyEye](https://en.wikipedia.org/wiki/SpyEye)
[Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

[Alureon](https://en.wikipedia.org/wiki/Alureon)
[Duqu](https://en.wikipedia.org/wiki/Duqu)
[Kelihos](https://en.wikipedia.org/wiki/Kelihos_botnet)
[Metulji botnet](https://en.wikipedia.org/wiki/Metulji_botnet)
[Stars](https://en.wikipedia.org/wiki/Stars_virus)

[Carna](https://en.wikipedia.org/wiki/Carna_botnet)
[Dexter](https://en.wikipedia.org/wiki/Dexter_(malware))
[FBI](https://en.wikipedia.org/wiki/FBI_MoneyPak_Ransomware)
[Flame](https://en.wikipedia.org/wiki/Flame_(malware))
[Mahdi](https://en.wikipedia.org/wiki/Mahdi_(malware))
[Red October](https://en.wikipedia.org/wiki/Red_October_(malware))
[Shamoon](https://en.wikipedia.org/wiki/Shamoon)

[CryptoLocker](https://en.wikipedia.org/wiki/CryptoLocker)
[DarkSeoul](https://en.wikipedia.org/wiki/DarkSeoul_(wiper))

[Brambul](https://en.wikipedia.org/wiki/Brambul)
Carbanak
[Careto](https://en.wikipedia.org/wiki/Careto_(malware))
[DarkHotel](https://en.wikipedia.org/wiki/DarkHotel)
[Duqu 2.0](https://en.wikipedia.org/wiki/Duqu_2.0)
[FinFisher](https://en.wikipedia.org/wiki/FinFisher)
[Gameover ZeuS](https://en.wikipedia.org/wiki/Gameover_ZeuS)
[Regin](https://en.wikipedia.org/wiki/Regin_(malware))

[Dridex](https://en.wikipedia.org/wiki/Dridex)
[Hidden Tear](https://en.wikipedia.org/wiki/Hidden_Tear)
[Rombertik](https://en.wikipedia.org/wiki/Rombertik)
[TeslaCrypt](https://en.wikipedia.org/wiki/TeslaCrypt)


-----

**2016**

**2017**

**2019**


[Hitler](https://en.wikipedia.org/wiki/Hitler-Ransomware)
[Jigsaw](https://en.wikipedia.org/wiki/Jigsaw_(ransomware))
[KeRanger](https://en.wikipedia.org/wiki/KeRanger)
[MEMZ](https://en.wikipedia.org/wiki/MEMZ)
[Mirai](https://en.wikipedia.org/wiki/Mirai_(malware))
[Pegasus](https://en.wikipedia.org/wiki/Pegasus_(spyware))
[Petya (NotPetya)](https://en.wikipedia.org/wiki/Petya_(malware))
[X-Agent](https://en.wikipedia.org/wiki/X-Agent)

[BrickerBot](https://en.wikipedia.org/wiki/BrickerBot)
[Kirk](https://en.wikipedia.org/wiki/Kirk_Ransomware)
[LogicLocker](https://en.wikipedia.org/wiki/LogicLocker)
_[Rensenware ransomware](https://en.wikipedia.org/wiki/Rensenware)_
[Triton](https://en.wikipedia.org/wiki/Triton_(malware))
[WannaCry](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)
[XafeCopy](https://en.wikipedia.org/wiki/Xafecopy_Trojan)

[Grum](https://en.wikipedia.org/wiki/Grum_botnet)
[Joanap](https://en.wikipedia.org/wiki/Joanap)
[NetTraveler](https://en.wikipedia.org/wiki/NetTraveler)
[R2D2](https://en.wikipedia.org/wiki/Chaos_Computer_Club#Staatstrojaner_affair)
[Tinba](https://en.wikipedia.org/wiki/Tinba)
[Titanium](https://en.wikipedia.org/wiki/Titanium_(malware))
[Vault 7](https://en.wikipedia.org/wiki/Vault_7)
[ZeroAccess botnet](https://en.wikipedia.org/wiki/ZeroAccess_botnet)


[Retrieved from "https://en.wikipedia.org/w/index.php?title=Carbanak&oldid=1052356275"](https://en.wikipedia.org/w/index.php?title=Carbanak&oldid=1052356275)


-----