Authorities Arrest Eight in Tyupkin ATM Malware Takedown

European authorities dismantled a cybercrime ring last week responsible for a series of ATM attacks that ultimately led to “substantial [financial] losses across Europe.”

European authorities dismantled a cybercrime ring last week responsible for a series of ATM attacks that ultimately led to substantial financial losses across Europe.

Authorities apprehended eight Romanian and Moldovan nationals in connection with the ring following a series of house searches in the two countries last week, according to Europol, which announced the news last Thursday via press release.

While a handful of groups played a role in the takedown, it was spearheaded by the Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), Europol, and Eurojust.

The attackers “jackpotted” ATMs using Tyupkin, a strain of malware that allowed them to empty machines, according to the agency.

According to a separate announcement by DIICOT, the attackers actively targeted ATMs across Romania, Hungary, the Czech Republic, Spain, and Russia. Romanian authorities claim the attackers were able to siphon 200,000 Euros, or roughly $217,730, from ATMs from December 2014 to October 2015.

Tyupkin surfaced in late 2014 after researchers with Kaspersky Lab discovered more than 50 machines infected with the malware. Researchers acknowledged that only ATMs from a particular manufacturer running a 32-bit version of Windows were impacted at the time, but that the malware had several variants.

In this particular campaign attackers targeted ATMs manufactured by NCR, a conglomerate that bills itself as the “#1 provider of ATMs,” with 790,000 installed globally. Attackers were able to “jackpot” ATMs by targeting machines not inside banks that could be opened with a universal key and had CD-ROM functionality. The malware, installed via bootable CD — a Trojan, launched via an executable, “ulssm.exe” — only ran on weekends and deleted itself afterwards.

Romanian authorities claim the attackers were able to make withdrawals of a fixed amount each time, and extracted 4000 lei, or $960 USD, each operation.

In wake of the bust, Wil van Gemert, Deputy Director of Operations at Europol’s European Cybercrime Centre (EC3) trumpeted collaboration between law enforcement.

“Over the last few years we have seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes. To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations.”

ATM hacking has become a reality, evolving beyond card skimmers, going on five years now. The late Barnaby Jack, a security researcher with IOActive, notoriously brought to light vulnerabilities in some ATM machines at Black Hat way back in 2010. In a demonstration, Jack was able to bypass an authentication mechanism to trigger machines to dispense all their cash.

Suggested articles