Hackers Program Bank ATMs to Spew Cash

Share this…

After crimes in Taiwan and Thailand, the FBI warns of similar potential attacks in U.S.

Cybercriminals who once earned millions by breaking into individual online bank accounts are now targeting the banks’ own computers, with often-dramatic results.

In Taiwan and Thailand earlier this year, the criminals programmed bank ATMs to spew cash. Gang members stood in front of the machines at the appointed hour and collected millions of dollars.

Earlier this month, the Federal Bureau of Investigation warned U.S. banks of the potential for similar attacks. The FBI said in a bulletin that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”


The FBI bulletin cited software used by a Russian gang known as Buhtrap. Computer-security specialists say Buhtrap and other gangs honed their techniques on Russian banks, then expanded to other countries. Sometimes the hackers break into the systems that process transactions on banking payment networks; other times they have hit ATM networks directly.

In Taiwan, Taipei city police on July 10 received a report of currency lying on a First Commercial Bank ATM in the city’s Da’an Precinct. Reports of loose cash at other ATMs soon followed.

ATMs were “abnormally spitting out bills,” police said in a written statement a few days later.

By July 11, criminals had collected more than 83 million New Taiwan dollars (US$2.6 million) in cash—without using ATM cards. Twenty-two people, most from Eastern Europe, waited by ATMs to remove the money. Three suspects were later arrested and over NT$77 million recovered.

A spokeswoman for First Commercial confirmed that the bank’s ATM systems were attacked in July. Investigators now believe that the criminals broke into computers at First Commercial’s London office on May 31. Once inside the network, the criminals sent a malicious software update to the company’s 41 PC1500 ATMs, built by Wincor NixdorfAG of Germany. After testing their system on July 9, they instructed the ATMs to empty their cash-carrying cassettes the next day. Wincor Nixdorf didn’t return messages seeking comment.

The next month, the Government Savings Bank in Thailand was hit with a similar attack, according to the FBI bulletin. Government Savings Bank couldn’t be reached for comment.

The FBI said hackers broke into both the Taiwan and Thailand banks with fraudulent “phishing” emails disguised to look like messages from ATM vendors or other banks. The attacks indicate hackers’ “capability of conducting low-risk, high-impact attacks,” the FBI said.

A Taipei City police spokesman couldn’t confirm whether the Taiwan attack was linked to the Thai case but said the characteristics were similar.

The attacks mark a new technique for cybercriminals, who traditionally stole money from consumer banking accounts or hit ATMs with fraudulent cards or other tricks on a single machine. Over the past 18 months, some criminals have turned to bank networks, breaking in and then finding ways to make dozens of machines unload their cash simultaneously.

“These guys, who could have been in the past just going after consumers…are breaking into financial institutions,” said Eric Chien, technical director of Symantec Corp.’s Security Technology and Response division.

Taipei police, who worked with the FBI on the First Commercial Bank investigation, said in July that malicious software used on ATMs had led to more than $300 million in losses.

In a written statement, the FBI said it “routinely advises private industry of various cyber threat indicators observed during the course of our investigations.”

Investigators say a small corps of elite hacking groups is carrying out the attacks. “The skill level to create the malware for the actual network intrusions is a step up,” from more common ATM crimes, said Robert McArdle, a security researcher with antivirus vendorTrend Micro Inc.

Symantec’s Mr. Chien said U.S. ATMs tend to be newer and harder to attack than overseas systems, though some are “just as ill-protected.” Symantec says about one-quarter of the institutions hit with another type of Russian malware, known as Odinaff, which targets financial-transaction systems, are in the U.S.

Dmitry Volkov, head of cyberintelligence with Russian cybersecurity vendor Group-IB, has spent years tracking Russian-based groups that break into financial institutions, typically to steal money by compromising bank payment systems. During the six months ended in February 2016, the Buhtrap group launched 13 successful attacks against Russian banks, stealing more than $25 million through the nation’s bank-clearinghouse system, he said.

The computer code to carry out the attacks was released earlier this year by a disgruntled Buhtrap member, and is now being used by others, Mr. Volkov said. Since the summer, another group linked to Buhtrap, called Cobalt, has been targeting banks in Europe and Asia too, he said.