A regional Virginia bank, the National Bank of Blacksburg, has lost $2.4 million in a cyber-heist that affected the STAR ATM and debit network, following a successful phishing attack that compromised the institution’s internal networks. The bank is now suing its insurance carrier for not covering the full extent of the damage.
According to an April 2018 earnings statement from National Bankshares, the parent company of the bank, National Bank’s computer system experienced two cyber-intrusions, in May of 2016 and January of 2017. In both cases, the intruders were able to penetrate an internal workstation with a phishing effort and a weaponized Microsoft Word document. From there, the attackers installed malware, and pivoted to a machine on the network that had access to the bank’s interface with the STAR network.
STAR is run by financial behemoth First Data, and allows banks across the U.S. to give their customers access to debit card and ATM transactions. So with this secondary access, the intruders were able to carry out a sweeping effort to siphon off funds.
They were able to “change customer account balances, monitor network communications, remove critical security measures such as anti-theft and anti-fraud protections [such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections], conduct keystroke tracking, and otherwise enter or change electronic data and computer programs on National Bank’s computer systems, which allowed them to illegally withdraw funds from the accounts of National Bank customers, post fake deposits and [subsequently] remove illegal transactions from customer accounts [to avoid discovery],” according to the court documents, which were obtained and posted by Brian Krebs last week.
Ultimately, the hackers made withdrawals at hundreds of ATMs, suggesting a highly coordinated effort. National Bank hired Foregenix to investigate the 2016 incident and Verizon to handle forensics for the 2017 breach, according to the lawsuit. According to reports, both companies tracked the activity back to IP addresses located in Russia.
Neither Foregenix nor Verizon responded to Threatpost’s inquiries for further details.
“Actors who target banks are primarily financially motivated,” said Leroy Terrelonge, director of intelligence and operations at Flashpoint, in an interview. “They want a large return on their investment in gaining access to the bank and performing reconnaissance.”
The reconnaissance step was likely a key aspect of the attack, he added.
“When attackers are able to establish a presence on a network through deployment of malware or using stolen credentials, they can often remain in stealth for a period of weeks or months, and they use that time to observe the activity of normal users at the bank and perform reconnaissance of the systems, processes and procedures used,” said Terrelonge.
“They learn how to use the systems they want to target, and even observe email exchanges,” Terrelonge said. “In so doing, they learn how employees prefer to be addressed and can impersonate other employees to extract further information to help them carry out their attack.”
The attack itself can require specialized knowledge as well. Malicious actors need to understand how their activity is logged, and take steps to obfuscate, manipulate, and purge those logs. They also need to understand the interbank systems used by the bank, including the commands used to transfer funds, which tend to be pretty idiosyncratic to the platform and systems used.
“This can be achieved by a combination of computer network intrusion proficiency and observing the network they have penetrated before taking any action,” Terrelonge said. “Alternatively, when available, insiders can make an attack much more likely to be successful.”
The bank filed a claim with its insurance carrier, Everest National Insurance Company, on August 1, 2017 to cover the losses. In the lawsuit, it explained that it had two types of coverage for cyber-issues: The Computer and Electronic Crime Rider, which covers a broad swath of nefarious activity and losses up to $8 million per hack; and the Debit Card Rider, which has a $500,000 cap per incident.
Everest determined that National Bank’s proof-of-loss claims not only come only under the Debit Card Rider and its much lower coverage limit, but that both incidents should be treated as one intrusion. That would limit insurance liability for the losses to a maximum of $500,000 total, resulting in significant losses for the bank.
The bank then decided to “vigorously” pursue litigation against the insurance carrier, looking for the full amount of the damages. In the court documents, it explained that the intrusion had nothing to do with the theft of payment card details via card-skimming or debit-card fraud, which the bank said is what the Debit Card rider is meant to address.
“The company strongly believes they are insured for and are entitled to recover the full amount of the losses from the breaches, less the applicable deductible, and that litigation will ultimately resolve the case in its favor,” National Bankshares said in the earnings release.
In a filed response, Everest said that National Bank did not accurately frame coverage requirements in its court filing, and that “Everest lacks knowledge or information sufficient to form a belief about the truth of the allegations” laid out in the suit.
As for the bank’s internal efforts at cybersecurity in the wake of the hacks, National Bankshares president and CEO Brad Denardo issued a brief media statement: “I would like to reassure our shareholders and our customers that we take cybersecurity very seriously. We have taken the necessary steps to avoid cyber intrusions of the sort we experienced in 2016 and 2017, and we continually work to monitor and prevent future threats.”
When asked comment, Denardo told Threatpost he would have to decline comment because of the ongoing litigation.
Despite Denardo’s assurances, combating the scourge of phishing is easier said than done.
“There is no indication that these networks are insecure; malicious actors gain privileged access to these networks by stealing account credentials for legitimate users or by somehow co-opting the sessions of legitimate users,” Terrelonge said. “Think of it this way: even the most secure and best defended system is vulnerable if you can trick a user of that system into providing you their username and password. This is why phishing is a particularly pernicious problem.”
The use of one-time password (OTP)-based multi-factor authentication has been touted as a way to limit the damage of phishing expeditions; however, many organizations, including some financial institutions, use older systems that are not cost-effective to replace and cannot interface with modern multi-factor authentication solutions.
“Therefore, a combination of user education and technological solutions is the best defense against phishing attacks,” Terrelonge said.
Banking Networks in the Cybercriminal Sights
The targeting of the STAR debit and ATM network is only the latest attack targeting interbank and multibank infrastructure; recent months have seen heists related to the SWIFT network, including the infamous Bangladesh Central Bank robbery in 2016, and the recent incursion at Banco de Chile. In May, somewhere between $18 million to $20 million went missing during unauthorized interbank money transfers in Mexico’s central banking system.
“Malicious actors have learned that interbank networks are an effective and efficient means for spiriting stolen funds out of a bank, and transferring those funds to accounts they control in other financial institutions, typically in jurisdictions that have relatively lax know-your-customer (KYC) or anti-money laundering standards,” said Terrelonge. He added that given the opportunistic nature of malicious actors, smaller banks may represent a ripe target.
“We saw with a number of attacks that leverage the SWIFT interbank system that a number of the targets were in developing countries, presumably because the attackers believed that those targeted financial institutions likely did not have the same amount of resources to put towards cybersecurity as their counterparts in richer countries,” he explained. “Similarly, attackers may believe that smaller regional banks have fewer means at their disposal to defend attacks, and may therefore be more vulnerable to targeting.”