Page 30 - Bloomberg Businessweek July 2018
P. 30
Bloomberg Businessweek
THE HEIST ISSUE
For years police and banking-industry sleuths By the fall of 2014, the authorities realized they were
doubted they’d ever catch the phantoms behind Carbanak. dealing with something new. That October, Keith Gross,
Then, in March, the Spanish National Police arrested chair of the cybersecurity group for a European bank
Ukrainian citizen Denis Katana in the Mediterranean port lobby, called a crash meeting with experts from Citigroup,
city of Alicante. The authorities have held him since then Deutsche Bank, and other major European lenders. In a
on suspicion of being the brains of the operation. Katana’s meeting room at Europol’s fortress-like headquarters in
lawyer, Jose Esteve Villaescusa, declined to comment, and The Hague, Kaspersky researchers briefed the bank offi-
his client’s alleged confederates couldn’t be reached for cials on what they’d found in Ukraine. “I’ve never seen
comment. While Katana hasn’t been charged with a crime, anything like this before,” Troels Oerting, then the head
Spanish detectives say financial information, emails, and of Europol’s Cybercrime Centre, told the group. “It’s a
other data trails show he was the architect of a conspiracy well-orchestrated malware attack, it’s very sophisticated,
that spanned three continents. And there are signs that and it’s global.”
the Carbanak gang is far from finished. So Europol went global, too, enlisting help from law
enforcement agencies in Belarus, Moldova, Romania,
C arbanak first surfaced in Kiev, when executives at a Spain, Taiwan, the U.S., as well as bank industry rep-
Ukrainian bank realized they were missing a bunch of
resentatives. It set up a secure online clearinghouse
money. Security cameras showed the lender’s ATMs dis- where investigators could cross-check data and find links
pensing cash in the predawn hours to people who didn’t between the thefts, says Fernando Ruiz, head of opera-
bother to insert cards or punch in PINs. The bank hired tions in Europol’s cybercrime unit. At the heart of its oper-
the Russian cybersecurity firm Kaspersky Lab to check it ation was a lab where technicians dissected the two dozen
out. Initially, the researchers suspected that hackers had samples of malware identified in the Carbanak thefts. By
infected the machines with malware from a handheld isolating unique characteristics in the code, detectives
device. “What we found instead was something else,” says could trace where the programs came from and maybe
David Emm, Kaspersky’s principal security researcher. who was using them. The work led them toward Denis
48 Someone had sent emails to the bank’s employees Katana’s apartment in Alicante, a four-hour drive south-
with Microsoft Word attachments, purporting to be from east of Madrid. “This is what the Spanish police used to
suppliers such as ATM manufacturers. It was a classic open their investigation,” Ruiz says.
spear-phishing gambit. When opened, the attachments Carlos Yuste, a chief inspector in the National Police’s
downloaded a piece of malicious code based on Carberp, cybercrime center, took it from there. Yuste, a cerebral
a so-called Trojan that unlocked a secret back door to veteran detective with salt-and-pepper hair, and his chatty
the bank’s network. The malware siphoned confidential younger partner, Javier Sanchez, started taking a closer
data from bank employees and relayed the information look at 34-year-old Katana. He used offshore servers for his
to a server the hackers controlled. Delving deeper, the computing needs—not unlawful, but unusual. More inter-
Kaspersky team found that intruders were taking control esting, he was visited by Romanians and Moldovans linked
of the cameras on hundreds of PCs inside the organiza- to organized crime. Yuste ordered surveillance, but he and
tion, capturing screenshots and recording keystrokes. Sanchez labored to build a case for a wiretap or arrest.
Soon, the researchers learned that other banks in Russia From a distance, Katana appeared to be just another
and Ukraine had been hacked the same way. immigrant building a new life in the West. A skinny, small-
The attackers cased their targets for months, says ish man, he shared a modest 1,100-square-foot apartment
Kaspersky. The Carbanak crew was looking for executives with his Ukrainian wife and young son and didn’t seem
with the authority to direct the flow of money between to have much of a social life. He wasn’t trying to learn
accounts, to other lenders, and to ATMs. They were also Spanish, and the cops never once saw him visit San Juan
studying when and how the bank moved money around. Beach, the long stretch of golden sand just a few blocks
The thieves didn’t want to do anything that would catch away. He appeared to have a much more active life online,
the eyes of security. State-backed spies use this type of often toiling on his laptop until sunrise.
reconnaissance in what’s known as an advanced persistent Slowly, Yuste and Sanchez started piecing together how
threat. “In those instances, the attacks are designed to they believed Katana was working on the Carbanak thefts
steal data, not get their hands on money,” Emm says. with three other men in Ukraine and Russia. One sent the
When the time was right, the thieves used the verification malicious emails, another was a database expert, and the
codes of bank officers to create legit-looking transactions. third cleaned up the gang’s digital footprints, the police
“EVEN IF KATANA WAS THE MASTERMIND, HE WAS JUST ONE GUY IN A CRIME THAT SURELY MUST HAVE HAD MANY AUTHORS”
