A Look at Operation ‘DarkVishnya’, The Digital Bank Robbery

Bank robberies are going digital as well, as Kaspersky Labs has revealed the modus operandi dubbed ‘DarkVishnya’, with threat actors using real digital devices covertly attached to banks’ computers to accomplish it. These digital devices can be a small single-board computer such as a Raspberry Pi or a USB device with soldered microcontroller chip, both of which programmed to issue fund transfer commands to the very bank computer it is attached to. This digital bank robbery fully made the traditional physical robbing of banks a thing of the past, and it only requires cheap investment like a hardware device to take over banks’ computers.

“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection. The entry point to the corporate network remained unknown for a long time since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more. DarkVishnya is a series of attacks on financial institutions, and what they all have in common is the use of a physical device that is connected to the local network and later scanned in order to access resources. These cases are rare, yet similar attacks with no visible connection to DarkVishnya incidents have previously been seen in other regions, including Latin America,” explained Sergey Golovanov, Security Researcher for Kaspersky Labs.

Taking advantage of miniaturized computing devices that have LTE modem, the peripherals can be remotely controlled by the threat actors and able to penetrate the banks’ local networks as a USB-device or a network device receiving an IP from the internal network. The device is loaded with remote access trojans, which creates an opening in the network segment where the host computer is a member. Powershell, the improved command line and scripting engine built-in with new versions of Windows has been the key to issue high permission commands through the covertly attached device which is otherwise not available.

“Judging from the fact that a physical device was, in each case, brought inside the building and connected to the bank equipment, we can suggest that it was one of the visitors to each financial institution. To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another rundown but allowed a reverse connection, the attackers used a different payload to build tunnels. Local security services should figure out the identity of this person or persons. As a cybersecurity provider, our job was done once we had made sure that the institutions were protected and the threats eliminated,” added Golovanov.

Network and system administrators need to be alert every time someone visits the office. Ethernet connection in the walls and floors and open USB ports in the computers within the reach of a visitor can be the target areas. These can be used to attach a loaded Raspberry Pi or a specially made USB device with enough logic to connect to the network or USB hub. Cybercriminals are betting on the possibility that in a large company such as banks, a small device covertly attached to an open USB or Ethernet port takes a while to be detected.