An examination of the incident shows things that Taiwan did well, plus areas in need of improvement.
On July 9 and 10 last summer, the ATM network of the First Commercial Bank in Taiwan was hit by a well-coordinated hack that took control of the system, forcing selected ATM machines to spew cash out to waiting bagmen. The criminals made off with over NT$83 million (US$2.5 million) in a single weekend, making this one of the biggest robberies ever in Taiwan.
“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” the head of the police’s Criminal Investigation Division, Lee Wen-chang, told the media.
As 2016 waned and investigators continued to pore over the available data, a report by international cybersecurity investigations firm Group-IB linked the hack and heist of First Bank to an international syndicate likely based in Russia or East Europe. The gang has been code-named “Cobalt” based on its use of a publicly available security testing tool, Cobalt Strike, to gain access to banks’ networks and thereby to its ATM machines.
The group has used this approach to pull off coordinated attacks enabling it to rob millions of US dollars beginning last June. Cobalt is linked to attacks on ATM networks mostly in Europe but also in Asia. Besides Taiwan, the other countries affected have included Britain, Estonia, Malaysia, the Netherlands, Poland, Russia, Spain, and Thailand.
While the attack in Taiwan was similar to Cobalt attacks around the world, in the most of the other cases the crooks got away cleanly with the loot. In Taiwan, however, within days of the robbery authorities had arrested three suspects – Peregudovs Andrejs of Latvia, Colibaba Mihail of Romania, and Pencov Nicolae of Moldova – and recovered nearly all of the stolen cash.
A bag containing NT$4.54 million (US$141,700) of the loot was found hidden in Xihu Park in Taipei’s Neihu District by a 65-year-old man surnamed Ko. Although Ko eventually handed the bag over to authorities, the fact that he had held onto it for more than 10 hours prompted the Shilin District Prosecutors Office to charge him in December with possession of stolen money. Only about NT$5 million remains missing, and the authorities assume it left the country with 19 other suspects who eluded capture.
How were Taiwanese law-enforcement authorities able to bring about such a different outcome than their peers in other attacked countries? Sharp-eyed citizens and shoddy groundwork by the money mules sent to retrieve the money were both instrumental to cracking the case. Taiwan’s vast network of security cameras was also crucial in identifying the culprits and publicizing their photos.
Another factor was the skillful investigating by police agencies and the cybercrime unit at the Ministry of Justice Investigation Bureau (MJIB). An investigator with the cybercrimes unit, who asked to remain anonymous due to the sensitivity of his position, noted that the use of powerful computers was vital to understanding the incursion and how to prevent future attacks.
Cobalt attack strategy
The importance of data security is becoming increasingly evident, as high-profile hacks – ranging from Yahoo!’s recent disclosure that up to one billion accounts had been compromised to the politically damaging revelations uncovered in the hack of the U.S. Democratic National Committee – have undermined trust in online networks.
Since attacks that target personal accounts are particularly damaging to clients’ confidence, banks have put great effort into protecting such data. The attacks perpetrated by the Cobalt gang, however, do not target bank accounts or other banking data and thereby bypassed data-security measures.
“Banks have been paying a lot of attention to account data, particularly when it comes to account transfers, but not to the physical ATM,” says the MJIB cybercrimes investigator. “In this case, the criminals compromised the network but didn’t touch the account-transfer systems, and so they were not discovered.”
On the other hand, the scam required bagmen – “money mules” – to retrieve the money from the ATMs and return it to the gang, and that exposed the enterprise to a high degree of risk on the ground. This aspect would eventually lead to the operation’s failure in Taiwan.
While Group-IB posits that a single group, Cobalt, was behind the attacks, the different phases of the heist – infiltration and control of the ATM network, followed by retrieval of the physical cash – require completely different skill sets and possibly different organizations. The cybercrimes investigator says that the MJIB inquiry revealed that control over First Bank’s ATM network would last for only a specific period of time, suggesting that the perpetrators of the robbery didn’t actually own the hack. Possibly, different organizations – hackers and more traditional mafioso – cooperated to pull off the operation.
“Hackers can do the incursion, but they can’t launder the money, while the mafia can do the money laundering but probably doesn’t have such computer skills. Each brings their own expertise,” says the MJIB investigator. “They might not ever even meet.”
Blueprint to a hack
The hack of the First Bank ATM network followed a similar pattern as other suspected Cobalt-run operations, but with its own features that demonstrate a degree of flexibility.
On July 11, investigators with the MJIB cybercrime division were called by First Bank to investigate a suspected hack. The responding investigators confiscated the affected ATMs and brought them to the new cybersecurity lab in Xindian for analysis. It was quickly discovered that the coding server of the London branch was connected to an ATM in Taiwan.
The investigators learned that the initial access to the network was gained several months earlier through a spearphishing attack against someone working in a call center handling First Bank’s London branch. Spearphishing, in which a company administrator is tricked into opening an email that purports to come from a reliable source such as a manager or official website, is increasingly common and has been one type of modus operandi used in Cobalt hacks. News reports on the hack indicate that spearphishing emails may have appeared to come from the European Central Bank or another authoritative site, and delivered attachments that could exploit MS Office vulnerability.
“If the vulnerability is successfully exploited, the malicious module will inject a payload named Beacon into memory,” wrote researchers for Group-IB. “Beacon is a part of Cobalt Strike, which is a multifunctional framework designed to perform penetration testing. The tool enables perpetrators to deliver the payload to the attacked machine and control it.”
The targeting of First Bank’s offshore subsidiary likewise highlights the fact that even if a company has strong cyber defenses, vulnerable service providers can provide access points. Although First Bank had strong cyber defenses in place on its Taiwan network, it neglected its foreign subsidiary, which – like an unlocked window in the basement of a house – gave the criminals access to its system.
Once inside, the hackers began to slowly explore this new domain, finding access points and penetrating deeper into the network. “This is just like a thief has broken into your house and can run around,” says the MJIB cybersecurity investigator. “The question they have is how to gain control over the ATM network quickly and efficiently.”
Group-IB researchers noted in their report that “after the local network and domain are successfully compromised, the attackers can use legitimate channels to remotely access the bank, for example, by connecting to terminal servers or via VPN acting as an administrator or a standard user.” Ultimately, the criminals would load the ATMs in the network with software to control the cash dispensers and wait for the planned attack.
Again, consistent with what is known about Cobalt-linked ATM heists in other countries, the final strikes happened in a short period of time, July 9-10, according to First Bank, which stated that 41 of its ATMs were made to spit out all of their cash for waiting mules to bag and remove from the country.
The hackers’ work was still not finished, however. They then commenced with evidence destruction, using a number of legitimate, open and closed source tools, including SDelete, a free tool available on the Microsoft website that deletes files beyond recovery.
“In addition, operators disable the bank’s internal servers involved in the attack using the MBRkiller malware that removes MBR (master boot record). Such a careful approach significantly complicates further investigation,” Group-IB’s researchers wrote.
The Cobalt attacks are scrupulously designed so as to not attract any attention until long after the money has been retrieved. But in Taiwan, observant citizens in Taichung witnessed two foreign men jackpotting one of the ATMs. These citizens called police, and although the robbers had fled, evidence at the scene enabled the police to identify at least one of the money mules.
Police resources were marshaled for the investigation. In the days that followed, police screened 1,500 monitors, investigated more than 30,000 mobile phone communication records; tracked down leads on vehicles rented by suspects; and examined 81 fingerprints, one palm print, and 61 pieces of hair collected from hotel rooms, baggage lockers, and other sites. Investigators tracked the foreign mobile-phone numbers of suspects through international roaming, and identified a number of hotels where they might be hiding.
Local media reports indicate that during the investigation police sent out word to underground money-laundering channels not to do business with this gang, apparently successfully denying the criminals a way to get the money off the island.
Currently, two of the three suspects in custody deny involvement with the case, while the third, Peregudovs Andrejs, has apologized for his involvement, explaining that he owed money to the Russian mafia and only agreed to act as a money mule for fear that his family might be harmed. The suspects each face up to 12 years in a Taiwanese prison for their involvement in the crime.
The hacking of the First Bank ATM network demonstrates an uncomfortable truth to Taiwan – that while the threat may be global, Taiwan’s ability to counter it remains constricted by a lack of diplomatic recognition. Nineteen suspected money mules remain at large and will likely stay free of Taiwan justice, as the island lacks extradition treaties with most of the countries in Eastern Europe where they come from, as well as participation in international police organizations such as Interpol.