A group of cybercriminals has breached and mapped the global banking system, and in a series of attacks has so far stolen $81 million from the central bank of Bangladesh. Experts believe the attacks were done using fraudulent messages on a money transfer network connected to the banking system.
Investigations into the ongoing attacks are still underway, and related attacks on other banks are still being uncovered. Some experts are pinning the attack on hackers from North Korea, since the tools they used share similarities to the November 2014 hack of Sony Pictures Entertainment.
According to an insider with direct knowledge of the recent attacks, however, the culprit behind the digital bank robberies is much larger. The insider requested to remain anonymous due to security concerns, and was able to provide evidence to support his claims.
A screenshot provided by an insider shows the hackers having “root” administrative access to Uniteller’s systems. The insider added notations showing the timestamps.
Chinese state hackers identified the initial vulnerability, and used it to infiltrate and infect the global financial system, according to the insider. When their contract ended with the Chinese regime last year, they sold the vulnerability to cybercrime groups on a private marketplace in the darknet in an attempt to thwart detection, he said. The darknet is an alternate internet that is only accessible using specialized software. While the darknet has legitimate uses, criminal groups buy, sell, and conspire on darknet forums.
The Chinese regime runs a large network of hackers under the General Staff Department, Third Department, of its military. These hackers carry out orders from the Chinese regime, and also often run additional operations or sell data on the side for personal financial gain. Epoch Times exposed this system in a previous investigative series.
The cybercrime groups who purchased the vulnerability are allegedly those carrying out the current attacks and illegal money transfers.
“The Chinese have already gained permanent access to the target financial networks and exfiltrated all the data they wanted for the contract for their sponsor,” the insider said. “Now they have this vulnerability, they can continue to monetize, so now they’re selling it to criminal networks.”
Process of the Breach
The code used in the vulnerability pulled from multiple places, which could also mean researchers just looking at the breach from the surface may draw false conclusions. He said some of the code was developed in-house by the Chinese hackers, but they also purchased some of the code from Russian universities.
The insider said the Chinese hackers didn’t sell the vulnerability to any specific cybercrime group either. “They’ll sell one bank to one group,” he said, and noted most of the hackers carrying out the current attacks are comparatively low-skilled. “They’re not coders,” he said. “They just know how to release packages and deploy them.”
The insider was able to provide forensic data and screenshots that support the claims. The insider was also able to provide a list of targeted banks, which he noted is growing, and which includes a long list of banks and financial systems that are connected to a compromised banking partner network—including several in the United States, Latin America, and Asia.
The Chinese state hackers started their attacks on the bank networks as early as 2006, according to the insider, and began uploading malware to the bank networks in 2013.
He said the Chinese hackers also breached the money transfer network of Uniteller, which is owned by Banorte, Mexico’s third-largest bank.
“Basically, Mexico’s critical infrastructure is owned by the same APT group,” he said, using APT (advanced persistent threat) to refer to the Chinese state hackers. “They’re in everything down there,” the insider said, referring to the level of access the Chinese state hackers have gained over critical networks in Mexico.
A post on a cybercrime darknet forum offers access to Mexican government networks, stating the entry is “ideal for cyberspy.” (Screenshot provided by confidential source to Epoch Times)
A post on a cybercrime darknet forum sells access to “all information” on Mexico, noting it contains a new method to breach networks, and includes “bigs company” in the financial sector. (Screenshot provided by confidential source to Epoch Times)
A post on a cybercrime darknet forum sells access to a Mexican telecommunications service that connects 32 states. (Screenshot provided by confidential source to Epoch Times)
A post on a cybercrime darknet forum sells access to Mexico’s Federal Commission of Electricity, in this screenshot. (Screenshot provided by confidential source to Epoch Times)
It wasn’t until around June 2015 that the Chinese state hackers sold the vulnerability to cybercrime organizations, and these organizations immediately used it to begin mapping, testing, and infecting banks and financial systems.
The insider said the hackers exploited a vulnerability in the code used to build web applications named Apache Struts v2. It was vulnerable as early as 2006 and was patched in 2013. He also noted that after gaining access, the hackers have since traversed numerous additional financial networks they’re targeting.
While the Chinese state hackers sold access to the bank networks, the insider noted the hackers had been mapping and infecting the global banking system over the last eight years.
When they decided to sell the vulnerability, they did not forfeit their access to the networks. By the time they sold it, the insider said, it had already served its purpose. In other words, the Chinese state hackers still have access to the networks—and not just to a few banks, but instead most of the global banking system.
The insider speculated that the Chinese state hackers are selling the original vulnerability both for profit, and to use the cybercriminal gang as a deliberate distraction from their higher-level breaches. He went on to state this could be the early stages of a global banking crisis.
Correction: A previous version of the story said the two screenshots showing code were exploits being run. The code is displaying the security certificates of the victim Mexico-owned bank money transfer network being exfiltrated. Hackers can use the certificate to send communications through the company’s networks, which its recipients would automatically validate.