EXCLUSIVE: Hackers Compromise Global Banking System at Highest Level, Investigator Reveals.
Criminals can alter banks’ most sensitive data, allowing fake money transfers and credit card fraud.
The global banking system has been compromised by cybercriminals who have demonstrated they have high-level access that gives them nearly full control to alter data and steal from banks, according to an expert who has been investigating them on the darknet private forums run by the hackers.
Ed Alexander is a cyberHUMINT (human intelligence) specialist and a subject matter expert on the darknet. Only accessible with special software, the darknet, in addition to legitimate applications, is used by criminal groups to conspire and sell illicit goods.
In a previous interview, Alexander provided Epoch Times with extensive evidence on the current global bank heist. He formerly asked to remain anonymous in order to protect his investigations, yet is now going public to expose the two groups of hackers who are behind the attacks.
The cyberattacks relate to the string of banks that were recently breached by hackers, including the $81 million stolen from the central bank of Bangladesh. Alexander has provided evidence that these banks are merely the tip of the iceberg, and that the hackers have found a vulnerability that grants them access to thousands of banks around the world and across the United States.
In the previous article, evidence provided by Alexander showed that the cyberattacks began around 2006, when hackers with the Chinese military acted under state orders to breach critical networks in Mexico. From there, the hackers were able to gain access to the computer systems of a major bank, and then into a major money transfer network to which the bank—and many other banks—are connected.
The Chinese hackers completed their assignment, and around June 2015 they sold the vulnerability they had exploited to cybercriminals on the darknet. Alexander was able to provide screenshots from posts on a darknet cybercriminal marketplace that was selling access to the Mexican financial networks.
The cybercriminals who purchased the vulnerability from the Chinese hackers are the ones currently carrying out attacks on the global banking system, and Alexander provided new evidence showing the cybercriminals have high-level access to the banking networks that they are using to alter data.
Epoch Times spoke with three experts on cybercrime (two on record, one off-record) who were able to look over some of the screenshots of the attacks, which were provided as evidence. In their expert opinions the screenshots are legitimate, and their contents support Alexander’s claims.
According to James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), the screenshots “suggest that an attacker may be exploiting a vulnerability in the system to establish a persistent presence and exfiltrate files.”
“Unless it is patched and the attacker is removed from the system,” Scott said, “the attacker can continue to capitalize from the vulnerability or sell it to other attackers.”
ICIT is a Washington-based cybersecurity think tank focused on threats to critical infrastructure, such as the financial system.
Based on screenshots provided by Alexander, Scott speculated that the cybercriminals may be using their access to the network as a gateway to other money transfer networks or to spoof money transfer requests to additional banks, allowing the hackers to steal money.
Keith Furst, founder of Data Derivatives, a consulting firm focused on financial cybercrime, noted the screenshots show the cybercriminals as having very high-level access on the bank networks. When it comes to banks, he said, only top-level permissions can alter data such as that shown in the screenshots, due to risk that a person could, for example, eliminate his or her debt or illegally transfer money.
“If they can change information at this level, it implies they have access to other information,” Furst said.
An Inside Look
The following are screenshots provided to Epoch Times by Alexander, which he said show cybercriminals actively accessing and altering data on networks belonging to Uniteller, a money transfer network owned by Banorte, Mexico’s third-largest bank.
He added red-colored notes on the screenshots to show the timing of the attacks align with the current attacks on the global banks.
The above screenshot allegedly shows the cybercriminals stealing data from a banking network. Alexander said it shows them running a command in a remote host outside the security domain of the bank, and suggests the hackers accessed the data without having direct login credentials to the network.
The vulnerability also lets the hackers send commands to the servers remotely. “Remote code execution allowed the attackers to run any command on the system,” Alexander said. “It also facilitated upload of other malicious files, which provided greater, more permanent access.”
He noted the screenshot merely captures a single moment in the attack. He said after the hackers ran the command that displayed data shown in the screenshot, they ran another command that allowed them to tamper with the files and steal data from the system.
The above screenshot was the result of the cybercriminals trying to prove they could manipulate back-end database systems on the banking network, which allows them, according to Alexander, “to effectively change credit limits on various card types.”
By changing the limits on the credit cards, the cybercriminals would be able to steal large amounts of money through fraudulent credit card transactions.
“The important thing here is that the attackers had access to the back-end databases and could easily manipulate, change, or destroy the data records and settings of Uniteller at will,” he said.
He said the screenshot was taken on May 26, but noted the March 2 timestamp suggests the cybercriminals could have been altering the system for close to three months.
Alexander said the above screenshot was the result of the cybercriminals showing proof of the time, date, and level of access they had gained to the banking system.
He noted that, “Along with the date, there was a screenshot returned of the system name string (uname -a command), its IP configuration data (ifconfig command) and a copy of the local password file to that particular server (/etc/passwd).”
The above screenshot shows the cybercriminals with “root” (administrative) access to the banking server. It also shows files and directories, which the cybercriminals were allegedly modifying when the screenshot was taken.
“Additionally, it is important to remember again, that the vulnerability being used here was run OUTSIDE Unitellers’ security domain,” Alexander said. “Thus, the attackers were remotely executing code on that server as they claimed.”
The above screenshot shows a directory and file structure, which Alexander said was provided by the cybercriminals to show they were able to move between directories.
The cybercriminals were interested in this particular directory, he said, since they claimed it allowed them to access a U.S. bank that Uniteller has a relationship with.
He said this screenshot was also important, since the cybercriminals had previously demonstrated “that they had full credentials to Uniteller’s systems and services and had the ability to change them at will.”
He also states that this is only a snapshot in time of a significant cybercrime that is currently in process.
Originally published on The Epoch Times.