It named them after a security-testing tool known as Cobalt Strike, which the thieves used in the heists to help them move from computers in the bank network that were infected with tainted emails to specialized servers that control ATMs. Buhtrap stole money through fraudulent wire transfers, not ATM jackpotting.
Group IB declined to name banks that were “jackpotted,” a term used to describe forcing ATMs to spit out cash, but said the victims were located in Armenia, Belarus, Bulgaria, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain and Malaysia.
Even though the ATM Security Association declined to comment on Group IBs findings, the security company believes that Cobalt is linked to a well-known cybercrime group dubbed Buhtrap, which stole USD 28 million from Russian banks from August 2015 to January 2016, because the two groups use similar tools and techniques.
Members of the group, which works to improve ATM security, include ATM maker Diebold Nixdorf as well as banks ABN Amro, Bank of America Corp, Royal Bank of Scotland and Wells Fargo.
Diebold Nixdorf, a large ATM maker, said they were aware of the attacks and have been working with customers to mitigate the threat. The newly disclosed heists across Europe follow the hacking of ATMs in Taiwan and Thailand that were widely reported over the 2016 summer.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now