It looks like a few Russian hackers have just pulled off the biggest bank heist ever.
The numbers are shocking: hundreds of millions of dollars were stolen from 100 banks in 30 countries. The exact amount is unknown at this point. On top of that, the banks could lose possibly hundreds of millions more in related costs. And it all went mostly unnoticed until sometime last year.
On Monday, Russian cybersecurity firm Kaspersky released its report painting a startling picture of a worldwide operation that infiltrated major banks and turned ATMs into cash-spewing zombies.
What did they hit?
These hackers mostly attacked banks in Russia, but they also went after financial institutions in the United States, Germany, China and Ukraine, according to Kaspersky. The company declined to name specific banks, citing ongoing client relationships.
Kaspersky managing director Christopher Doggett said researchers managed to discover as much as they did by hacking into the hackers’ computer servers.
“All of the cybercrime we’ve seen up until this point has been to a different level,” he said.
What did they get?
Hackers managed to steal the money in all sorts of creative ways, Doggett said. They managed to take $7.3 million by reprogramming a single bank’s ATMs. Another bank lost $10 million from its hacked online platform alone.
Then there’s sensitive consumer data. The hackers were also deep enough in the computer systems at banks to gain information about their customers. For instance, hackers had full access to all email accounts at several Russian banks, according to Kaspersky.
Hackers also managed to obtain the secret keys that ATMs use to make sure your PIN is valid, Kaspersky said. It’s unclear what they could do with such information.
How did they do it?
Hackers used botnets — fleets of spam-spewing slave computers — to send out wave after wave of malware-laced emails.
Bank employees who opened them inadvertently let hackers sneak into computers. The criminals eventually gained complete control of the systems using employee credentials.
With that authority, hackers opened accounts in different places and moved money around at will. Kaspersky notes that, in some cases, they used the interbank network SWIFT (Society for Worldwide Interbank Financial Telecommunication) to quickly shift funds from one place to another.
By having full access to email exchanges, hackers also became intimately familiar with banks’ anti-fraud measures. They also learned how to avoid setting off alarms.
For example, they limited theft at any single bank to $10 million to avoid triggering a full-blown analysis, Kaspersky’s report said.
Then there’s this painful realization: One bank could have avoided getting hacked in a particular way if its employees had just applied the usual Microsoft update, Doggett said.
Who is behind this
Kaspersky researchers traced this attack back to hackers in Russia, China and several spots in Eastern Europe, Doggett said. The report described them as criminals — not a nation state — and noted that they mainly targeted Russian-speaking banks with malware-laced emails in Russian.
But one Dutch Internet security firm, Fox IT, claims this attack bears all the hallmarks of a small group of Russian hackers that attacked Russian banks in a similar fashion last year. They used the same malware to break into bank computers, reprogram ATMs and hack into the payment systems at a dozen American retailers.
But Kaspersky said it’s too early to tell if both hacking groups are the same.
CNN’s Laurie Segall contributed to this report.