How a bank got hacked

Robbing a bank is easier than you might think, especially if you don’t care which bank you rob, according to a “how to rob a bank” manifesto by the apparently vigilante hacker Phineas Phisher. The PwC incident response report, which Phineas Phisher leaked, backs up that claim. The report details the intrusion to management at the robbed bank, Cayman National Bank (Isle of Man) Limited (CNBIOM) and its sister company, Cayman National Trust Company (Isle of Man) Limited (CNTIOM).

(PwC declined to comment on the Cayman National breach or the leaked report, which indicates that fraudulent transactions cleared. In a press release, Cayman National acknowledged the attack, claiming, “At this time, there is no evidence of financial theft or fraud relating to CNBIOM or CNTIOM clients, or to Cayman National.” It made no reference to a financial loss by the bank itself.)

Reviewing the methods Phineas Phisher used offers insight into how vulnerable our financial infrastructure is to attackers and provides a glimpse into how a modestly skilled individual, or group of individuals, got away with a bank heist.

Who is Phineas Phisher?

Phineas Phisher, who has previously claimed responsibility for hacking the notorious cyber-mercenary groups Gamma Group and Hacking Team, claims to be a private individual whose stated goals are anti-capitalist, anti-imperialist, and anti-surveillance. Some suspect Phineas Phisher is a nation-state sponsored hacking group, but there is no way to know.

The hacking tools used in the 2016 bank heist were off-the-shelf penetration testing tools like PowerShell and Mimikatz. This means that if Phineas Phisher can do it, any number of modestly skilled attackers could as well. This makes the Cayman National attack a case study in how not to secure your networks (or how to rob a bank, depending on your point of view).

Let’s break out how the heist went down.

Gaining a foothold

“As the old saying goes,” Phineas Phisher wrote (in Spanish) in his how-to-rob-a-bank guide, “Give a person an exploit and they’ll have access for a day, teach them to phish and they’ll have access the rest of their lives.”

The PwC incident response report confirms that the bank got phished. According to PwC’s report, the bank robber sent a phishing email with the subject “Price Changes” from the spoofed email account “csdeployment@swift.com” to a bank employee on August, 2015, from the typo-squatting domain “cncim . com.” “This domain was registered on the 27th July 2015. It is highly likely that this domain was registered specifically for this attack,” the PwC report said.

The phishing exploit used was garden variety crimeware, according to the PwC report. “Analysis of the malware attached to the email shows that it is Adwind³, a piece of malware that can purchase [sic] online by hackers. Due to the timeframe involved we are unable to determine if this malware is directly related to the recent incident. However, it would appear that this malicious email may be specifically designed and targeted to compromise CNBT [Cayman National Bank and Trust].”

The attached payload was named “1_Price_Updates_098123876_docs.jar,” and when the CNBT employee clicked on the attachment, it infected the employee’s workstation and gave the would-be bank robber a foothold on the bank’s network.

A 2016 Checkpoint research report on the Adwind³ RAT said that it is “a backdoor fully implemented in Java and therefore cross-platform. It is a highly popular tool used in both massive spam campaigns and targeted attacks against financial institutions worldwide. In all versions (Frutas, Adwind, AlienSpy, UNRECOM and JSocket), it has been available for purchase based on registration on an official website – a concept known as malware-as-a-service.”

However, Phineas Phisher tells CSO that the phisher is someone else. “That wasn’t me, and it’s interesting that someone else was randomly targeting the same bank around the same time. It would suggest that bank hacking is widespread.I got in through the same Sonicwall SSL/VPN exploit I used against Hacking Team, not by phishing.”

Phineas Phisher admits to CSO via email to using Empire and Meterpreter, but not Adwind³. “[PwC says] Adwind was used by the phishing attempt. Yes, I was just using the Metasploit framework. I was just using Empire [RAT]. I didn’t use Adwind, and maintained persistence with PowerShell Empire.” 

When the bank discovered unauthorized SWIFT transactions in January 2016, they called in PwC to do incident response. PwC found Phineas Phisher’s shells, cleaned the infected servers and workstations, and installed their proprietary network monitoring solution, SonarShock, to analyze the bank’s network for continued signs of malicious activity.

So how did Phineas Phisher gain access to the incident response report? “When PwC started to investigate the hack, they found my use of Empire and Meterpreter and cleaned those computers and blocked those IPs, but they did not find my backup access,” Phineas Phisher wrote. When PwC started monitoring the networks, the bank robber laid low for a while. “I launched Mimikatz one time to obtain the new passwords, and from then on I could follow the investigation by reading their emails in Outlook web access.”

Mimikatz ain’t exactly rocket science, people. A sophisticated attack this was not, a fact that will surely give banks cause for concern, as well as encourage other bank robbers.

Persistence and getaway

Rewind to August 2015. Once Phineas Phisher got a foothold in the bank’s network, he dropped a reverse shell to maintain persistence, then used a variety of penetration testing tools to watch bank employees making SWIFT payments. He also took the time to read bank documentation on how the bank handles outgoing SWIFT transactions.

Phineas Phisher was in the bank’s networks for five months, without being discovered, before initiating the first of ten attempted SWIFT transactions that netted several hundred thousand pounds sterling — far less, it must be noted, than the $81 million North Korean hackers stole from a Bangladeshi bank in early 2016. After the first few successful transactions on January 5, 2016, he ran into trouble the next day and botched several transactions that used the wrong SWIFT code to address an intermediary bank, Phineas Phisher wrote. 

Why was this bank a target? Phineas Phisher scanned the internet for all the vulnerable VPN appliances he had an exploit for, grepped through the reverse DNS results for banks, and decided “Cayman” sounded like fun. “I didn’t propose to hack a specific bank,” the how-to guide says, “I just wanted to hack whatever bank I could, which turned out to be a much easier task.”

Maybe your bank is next.