24
Jul 18

Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email.

Photo copyright: Kerri Farley

The email allowed the intruders to install malware on the victim’s PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Armed with this access, the bank says, hackers were able to disable and alter anti-theft and anti-fraud protections, such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

Following the 2016 breach, National Bank hired cybersecurity forensics firm Foregenix to investigate. The company determined the hacking tools and activity appeared to come from Russian-based Internet addresses.

In June of 2016, National Bank implemented additional security protocols, as recommended by FirstData. These protocols are known as “velocity rules” and were put in place to help the bank flag specific types of repeated transaction patterns that happen within a short period of time.

But just eight months later — in January 2017 according to the lawsuit — hackers broke in to the bank’s systems once more, again gaining access to the financial institution’s systems via a phishing email.

This time not only did the intruders regain access to the bank’s STAR Network, they also managed to compromise a workstation that had access to Navigator, which is software used by National Bank to manage credits and debits to customer accounts.

Prior to executing the second heist, the hackers used the bank’s Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the intruders executed their heist on a weekend. Between Jan. 7 and 9, 2017, the hackers modified or removed critical security controls and withdrew the fraudulent credits using hundreds of ATMs.

All the while, the intruders used the bank’s systems to actively monitor customer accounts from which the funds were being withdrawn. At the conclusion of the 2017 heist, the hackers used their access to delete evidence of fraudulent debits from customer accounts. The bank’s total reported loss from that breach was $1,833,984.

Verizon was hired to investigate the 2017 attack, and according to the bank Verizon’s forensics experts concluded that the tools and servers used by the hackers were of Russian origin. The lawsuit notes the company determined that it was likely the same group of attackers responsible for both intrusions. Verizon also told the bank that the malware the attackers used to gain their initial foothold at the bank in the 2017 breach was embedded in a booby-trapped Microsoft Word document.

THE LAWSUIT

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

The first of those exclusions rules out coverage for any loss “resulting directly or indirectly from the use or purported use of credit, debit, charge, access, convenience, or other cards . . . (1) in obtaining credit or funds, or (2) in gaining access to automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”

The second exclusion in the C&E rider negates coverage for “loss involving automated mechanical devices which, on behalf of the Insured, disburse Money, accept deposits, cash checks, drafts or similar Written instruments or make credit card loans . . ..”

“In its Coverage Determination, Everest further determined that the 2016 Intrusion and the 2017 Intrusion were a single event, and thus, pursuant to the Debit Card Rider, National Bank’s total coverage under the Bond was $50,000.00 for both intrusions,” the bank said in its lawsuit.

Everest National Insurance Company did not respond to requests for comment. But on July 20 it filed a response (PDF) to the bank’s claims, alleging that National Bank has not accurately characterized the terms of its coverage or fully explained the basis for Everest’s coverage decision.

Charisse Castagnoli, an adjunct professor with The John Marshall Law School, said the bank’s claim appears to be based on a legal concept known as “proximate cause,” a claim that usually includes the telltale term “but for,” as this lawsuit does throughout.

“Proximate cause tries to get at where’s the legal liability associated with the original element that caused the loss,” Castagnoli said. “Take the example of a car crash victim whose master cylinder in the vehicle ran out of fluid and as a result the driver ran a red light and hit another car. The driver at fault might make the claim in a lawsuit against the car maker ‘but for your failure to manufacture this part correctly, this accident wouldn’t have occurred.'”

In this case, Castagnoli said what the bank seems to be claiming is that the Debit Card Rider shouldn’t apply because — but for the computer hacking — the losses wouldn’t have occurred. Indeed, the bank’s lawsuit claims: “All losses related to the 2017 Intrusion were the result of and would not have been possible but for the hacking of National Bank’s Computer Systems which resulted in the entering or changing of Electronic Data and Computer Programs within the Computer Systems.”

“Therefore, even though the losses were physically sustained  through ATM extractions, the Debit Card Rider limits shouldn’t apply because that kind of a rider doesn’t contemplate the dynamic changes in credit limits, and overrides of fraud monitoring, were only possible through computer hacking to which the C&E Rider should apply,” Castagnoli explained.

The bank’s complaint against Everest notes that the financial institution doesn’t yet know for sure how the thieves involved in the 2017 breach extracted funds. In previous such schemes (known as “unlimited cashouts“), the fraudsters orchestrating the intrusion recruit armies of “money mules” — usually street criminals who are given cloned debit cards and stolen or fabricated PINs along with instructions on where and when to withdraw funds.

Castagnoli said establishing and proving these fine lines of proximate cause can be very difficult in insurance claims.

“While it is fairly easy to write a policy around data breach liability, when it comes to actual intrusions and managing intrusions, it’s a wild wild west,” she said. “The policies and definitions they use are not consistent across carriers.”

Castagnoli advises companies contemplating cyber insurance policies to closely scrutinize their policies and riders, and find an expert who can help craft a policy that is tailored for the insured.

“The serious brokers who are out there selling cyber insurance all say the same thing: Have an expert help you to write your policy,” she said. “It’s mind-numbingly complicated and we don’t have standard language in insurance policies that help insurance clients decide what policy is right for them.”

She added that although there have been a handful of cases where cyber insurance providers have denied coverage to the insured, most of those disputes have been settled out of court.

“This is a rapidly growing area and a profit center for a lot of insurance companies,” Castagnoli said. “But there is not a lot of published case law on this, and you have to wonder if something public comes out like this what it’s going to do to the reputation of the industry.”

Tags: , , , , , , , , , , ,

70 comments

  1. This isn’t a cyber insurance policy; this is a crime/fidelity polixy

    • computer and electronic crime? I think I fail to see how this is simply a criminal/fidelity case given the context and language used.

      Just like the article mentions, too many definitions.

    • computer and electronic crime? I think I fail to see how this is simply a criminal/fidelity case given the context and language used.

      Just like the article mentions, too many definitions.

    • Another case for a lawsuit like Equifax, Folks freeze your credit in all the credit agencies. Also, do not trust Life lock or similar companies, become cynical. I do not have any banking info on my computer. I go in person to the bank for transactions of any kind.

    • Exactly Matt! This is not about cyber insurance but it is being conflated as such by whoever. These types of riders have been around for decades. I can’t imagine any Insurance Agent representing that these riders were the equivalent to a stand-alone cybersecurity insurance policy. The C&E rider is not even considered a form of cyber insurance – it is meant to protect from wire fraud not spear phishing attacks. These types of riders were around way before the term cybersecurity was being tossed around – but because it has the word “computer” people get confused. Similarly the debit card rider is not a form of cyber insurance either, it is meant to protect from counterfeit/fraud – which it did up to the coverage limit. The bank needs to assess their cybersecurity posture, examine their exposures, run some risk quantification examples and apply for a proper cyber insurance policy. Given this bank’s cybersecurity awareness, posture, and prior attacks, I bet they would be looking at a hefty premium.

  2. Robert Scroggins

    Legal technicalities aside, I don’t think anything at all should be covered under the second policy. In fact, they probably shouldn’t have been issued the second policy unless/until they demonstrated how they had improved the lax security (including lack of employee education) which apparently led to the intrusion in both cases. How many times can a bank screw up and not be financially responsible for it?

    Regards,

    • @Stan, the bank is not being “bailed out.” Their having an insured loss covered. (With the limit and deductible is being argued in court.)

      AFAIK, nobody put a gun to the insurer’s head and demanded that they write this policy (and take these premiums). They took on the risk, evidently without doing their due diligence to ensure these bozos had stepped up their security game.

    • Oh, it can go on forever. Wells Fargo, which has been demonstrated to be a criminal organization that preys on its customers, still has millions of customers.

      • You are correct. Honestly, my first thought was: they’ve gotta mole,or it’s an inside droped Re: WELLS FARGO: they’ve been caught TWICE, that I know of, laundrying drug money and fined the maximum amount by law: $1,000,000. One million bucks! For ‘cleaning’ BILLIONS! No incentive to stop, obviously. And so few KNOW about those crimes. The general public still does their daily banking with that lot, all based on good marketing and a media that looks the other way. The trolley called USA”

    • Normally on the first breach, they would have installed duo factor authorization that would require the user to have a phone and a passcode sent to that phone.

    • Readership1 (previously just Reader)

      I agree.

      I’d even go further and suggest they shouldn’t be covered by either insurance policy. When one gives away the keys to the vault twice, it’s hardly a crime when the money walks away twice.

  3. The Sunshine State

    Interesting article

  4. Your systems ingesting public email should not be connected to your back-end financial network.

    • @EJ, you would be flabbergasted at just how flat and open most bank networks really are. They are like the inside of a canoe!

      • Having worked IT at a bank this is somewhat true about most banks being wide open. We did not give email to EVERY user for this exact reason. All branches actually had an internal email address, for INTERNAL communications only. Was a segregated server. Info Sec also required all users to do general Cyber Security tests, informing them to be weary of suspicious emails, and informing them of ways hackers try to fool people, such as spear phishing etc.

  5. Note to all Hackers: quit the tedious computer cybercrime business, start your own INSURANCE and indemnity business. Somebody please convert this into an Algorithm:
    1) For every high price, high coverage limit rider (the hook) in the insurance contract, insert a low-limit parallel subset of the previous (the backdoor) rider that you (the provider) will default to when claims arise from first rider. 2) Move to Cayman, open bank account; 3) sit back and collect premiums.

    What is this nonsense of slaving over assembly language hacking…..too difficult.

    • @Kiers, your comment was insanely good. Made my day!

    • That’s too complicated, just put in a clause that no claims will be paid if the intrusion was caused by human interaction: I.e. spear phishing etc.

      It just shows that the bank wants insurance for not training against what they are insuring for.

  6. Unless you read both policies with the exclusions you can not say what would be covered or not. Most of the Cyber policies ask for alot of information about current controls and or internal processes. So during a claim the information provided during the application process would be scrutinized.

  7. This illustrates a major problem with cyber insurance. You have to be very careful about the verbiage…it’s often written in such a way as to result in situations like this, where exclusions and multiple policies allow for an insurer to minimize their payout to the point where it’s significantly below the premiums they’ve received. It’s laughable to consider the 2016 and 2017 incidents a single event, given that two discrete attacks enabled them separately…but then again, the difference between $50,000 and over $2,000,000 can pay for a lot of hours of legal representation.

  8. What’s to stop a 3rd breach from occurring should the bank be let off the hook for a second time? Can they demonstrate that they have adequately improved their security posture since the first breach, which would justify a 2nd bail out? Based on the results, I’m going to assume the answer to that is: NO.

    • If you break your arm and your insurance company covers the tab, are you getting a “bailout”? The answer, of course, is “no”. In fact, you’re getting what you paid for. So is the bank.

      That said, their policy paying isn’t going to do anything to make them more secure. Of course, it may make them less insurable which will be a different sort of deterrent or “punishment”.

  9. Mr. Krebs, thank you deeply for the constant benefit of your work. It is much appreciated. Let me give back a little.

    But-for causation is the opposite of proximate or legal causation.

    If I am sober, rent a car and have a heart attack while driving and hurt someone, the rental is not the proximate cause, though it is the but-for cause.

    If I am visibly drunk and rent the car, then the renting becomes a proximate cause of what damage ensues. There must be a duty society recognizes in addition to the but-for cause.

    Anyway, keep up the good work!

    Respectfully

    Casey Frank

    • Proximate cause requires a factual finding that the harm would not have occurred but for the act and that the harm was a natural and probable consequence of the act. Rhode Island Resource Recovery Corporation v. Restivo Monacelli LLP, 2018 WL 3244388 (R.I., 2018)

    • Proximate cause requires a factual finding that the harm would not have occurred but for the act and that the harm was a natural and probable consequence of the act.

      Rhode Island Resource Recovery Corporation v. Restivo Monacelli LLP, 2018 WL 3244388 (R.I., 2018)

  10. It’s very difficult to train employees to spot these sort of things.. I’ve seen instances many times where a users email was compromised (relatively weak password) and the “bad actor” monitored the email for days if not weeks to determine who was the major players in the organization so much so to where they knew who wrote the checks and who approved it. They even knew to call the person by a nickname when they sent the fraud email. The point is that these spear phishing attacks are very difficult to spot even to a well tried IT professional’s eye – You cannot put all the emphasis back on the end user. As EJ points out Systems must be segmented in a way to prevent this but small banks and other small businesses simply do not have the manpower or financial resources to accomplish this sort of configuration… If “they” are determined enough “they” will get in – They key is mitigating it as much as possible and I guess i this case making sure your legal team fully understands the insurance policy.

  11. Bill Ashbaugh

    The baffling part of this story isn’t that the insurance company refused to honor the claim, but that crooks in the United States would remit a percentage of the ATM money to hackers in Russia. Why wouldn’t the crooks just keep it all?

    • You’re suggesting that the disposable crooks they got to actually make the withdrawals from the ATMs stateside should withhold the money from the hackers, who are more than likely working for large Russian crime syndicates?

      Really?

      That’s not a smart choice, usually.

  12. Why are the bank’s computers connected to the internet? One would hope they would use private leased lines.

    • Wouldn’t have helped.
      They needed velocity counters and firewalls that shutdown access during off hours. The connection to Star was likely an internet connection and website the bad guys could sit on over the weekend.

      • Read the case notes in the NBB suite – after the 1st intrusion, they DID implement velocity controls – Once you own the admin system that controls those, it’s still a lost cause..

  13. This is an example of a phishing problem that is NOT solved by the solution lauded in yesterdays posting, “Google: Security Keys Neutralized Employee Phishing.” Because phishing is a bigger problem than account takeovers.

    • Incorrect. Requiring a physical second factor to access the Bank’s internal applications (which is google’s beyondcorp model) would of stopped them cold in all likelihood. The crooks would of had to get physical possession of the phished users hardware token too.

      • Incorrect but only insofar as 2FA is enabled on all services.

        You apparently haven’t been inside banks or credit unions. There’s hardly anything that is 2FA inside these institutions that run on decades old software.

        Either everything is 2FA protected and you need a keyfob to access it, or anything that isn’t will suffer a similar fate like this bank.

        • Bob’s comment was that the concepts in the referenced article were faulty (beyondcorp, using mfa, etc), which was not correct. With mfa enforced on the banks applications, this would not have happened. Nobody (including me) were implying that banks actually had any systems like that in place. Few enterprises do.

  14. What’s interesting to me about this is it seems like the hack still required physical presence to pull it off. The criminals had to actually visit hundreds of ATMs over the span of a holiday weekend to withdraw the cash
    I suspect it had to have been people in on the scam because I don’t see how you could conceivably convince strangers to withdraw cash for you at that scale without raising eyebrows

  15. Appeared to come from Russia. Let that sink in. It is TRIVIALLY easy to make it look like attacks came form elsewhere..attribution is honestly nearly impossible as truly state sponsored hackers are not going to leave breadcrumbs behind for you to see where they came from.

    • That’s your opinion. In reality, the are many techniques for analyzing malware lineage. For example, the paper titled “Inferring Accurate Histories of Malware Evolution from Structural Evidence” reads:

      “We extract structural features from each variant binary executable and generate from them three different forms of evidence that one variant is a likely ancestor of another. We then combine this evidence using a truth maintenance system to create a family tree of malware variants.”

      Phylogenetic-inspired Techniques for Reverse Engineering and Detection of Malware Families.

      Large-scale malware indexing using function call graphs.

    • Central Scrutinizer

      “…truly state sponsored hackers are not going to leave breadcrumbs behind” That’s a laugh. Apparently you’re not acquainted (nor was anyone in the White House at the time of the Helsinki summit with Putin) with the contents of the Mueller indictment of the 12 Russians. That was an allegedly elite military unit that left a trail a mile wide leading right back to them.

  16. Thank you William. It could have been that 400 lb guy sitting on a bed across the street from the bank using a VPN to a Russian Federation site. Russian IPs just
    mean that at best the government will waste time and money indicting “hackers” that will never be extradited or prosecuted. Nice cover for a Yank!

    • From what I’ve seen/heard over the last 24h, it most definitely appears to be the work of an organized crime gang operating out of Russia. I’ll have more info on the origins of this attack in a follow-up post.

    • IPs are one of many possible indicators used in attribution–not the only indicator used.

  17. Navigator is a Fiserv web application. Suspect that they are a Fiserv bank. Phishing training doesn’t work. There will always be staff members who will click on things. We are tested for this every year and about 20-30% always fail. Filter macros from incoming emails. Macro enabled Word and Excel use .docm and .xlsm extensions. Block them. Block older .doc and .xls extensions which can hide macros (you’re still not using Office 2003, are you?). Use Geo IP filtering to block foreign IP addresses. Put something in front of your email servces like Symantec or Cisco Email Security cloud services… antivirus software is your last line of defense, not your first.

    • And don’t ever, ever give you users local admin rights. On a fairly locked down recent windows box, running as an unprivileged user, a Word macro attack isn’t going to be able to install very much..

      Any one with admin rights, really should know better than to be clicking on e-mail attachments. If you can’t get to that level of controls in a bank, of all places, I’m not sure I really want to trust you with money…

      We’ve gotten “phish” test rates down to under 10%, in our environment, but 10% is still a long way from zero.

      • You don’t need admin rights to cause damage to a pc. Least privileges is important, but not something that would stop the average attacker.

      • Your admin account shouldn’t have email anyway. Plus you should only use it when you need to and immediately log out of whatever box you were in as soon as you’re done. Basically and admin account should only ever be used to do things that require admin access and should only be used long enough to accomplish the required task.

        This is all human behavior stuff, however, and is therefore often completely disregarded. One thing that may help is to require the use of jump server for admin access to any system. Require 2FA to get to that box as well – at ALL times (meaning: for both remote (VPN) and local users).

  18. Users probably did not have local admin rights but the bank was unlikely using MFA.

    I wonder if they had been using KnowBe4 training. We sent out some obviously bogus trial phishing attacks and half of our users bit. This is normal for most companies.

  19. The story smells like inside job.

  20. What about their email security provider? Their current MX records show they are using Forcepoint. Has this company been used since the first breach?

    I’ve run email security since 2001 for thousands of domains and tens of thousands of email addresses and 2 things come to mind, one being the mail server was not setup correctly and the tainted email bypassed the filtering servers.

    Second, the tainted email was not caught by the Forcepoint filters, even if the sender was known and allowed on a “white list”, the attachment should have been scanned for malicious content. In addition, no attachment should be allowed through with macros, period.

    Properly setup and configured email security services technology are very strong and have multiple layers of defense, this email attachment should not have been allowed through.

    All the finger pointing won’t help unless it is found out why the email with the tainted attachment was allowed through. What endpoint services if any are being used? Give us that part of the story too.

    • I think you are spot on about the files should have never gotten in, but a day 1 is a day 1. Still it shouldn’t have. I like our posture of all mail being scanned and filtered by a service provider prior to hitting our network, then scanned again with another tool internally. I see so much blocked every day….. Very few get through with links, and we have our staff so paranoid they send things to me every day to check, and when there is a malicious link in an Email, I immediately set a block on our webfilter (since they are to new for reputation blocking usually) just incase/because other people are likely to get the same Email. It’s a battle every day.

    • From my lookups, Forcepoint flags very few IPs used for maliciousness, even URLs it seems–as compared to Symantec, Fortiguard, Sophos, or certain blocklists.

    • At my last organization, we only had HIPAA data to protect, and we had our email setup pretty closely as you described. Unworthy email never got to the inbox, if possible. We also had training for users on various security practices at least once a quarter. I can’t think of a single breach that gained anything for the attacker. In fact I think we only had one minor breach in three years; and it was handled in real time.

  21. Good article. Yep again. Had to blow my nose cleaning out the coffee from the snort.. aha, cool. But no remediation, to make sure all the traces of the infection were gone? So, was it really a second attack, or a continued attack. Ohh, mules? Okay. Russian mob, better yet, no north Koreans, or school’s out of China?
    Everyone is arguing the legalistic side, or shutting down the banks system on certain days, or firewall rules, how about endpoint tracing of the event, any ATM without a active camera recording the event should be suspect. There was a point where tfa would have been active. Tfa, with only a card present? The person. Compared photographs. A card is “supposed” to be assigned to a person that uses it. Use that information that you already have on the subject. If the camera does not work, the machine should be considered compromised. And a message sent to the holder, go to another machine.

  22. Possibly an inside job and insurer knows it. May be impossible to prove without someone flipping for evidence. I would love to see the evidence, the photos of the “mules”, etc.

    • I think you and John might be right- because it sounds like the banking software was manipulated and very quickly. Not only do they have to be able to get in, but they must have known all the security tools and software the company used well enough to hit it and run. Now it could be anyone from a current employee to a contractor, or even a vendor that knew the infrastructure that well. But its way to much work to be done in a day unless they were fully prepared. – which they were as they had the mules ready to go.

  23. Since many young and talented young skilled people live in east blocks like former soviet union and africa, they have jobs there and no money then many young skilled and talented people take money from the west countries like usa.
    Its sad that those poor countries can not give enough to young skilled guys that they have to choose criminal way to survive !

    • Just a thought. Plenty of hacking is going on worldwide. The US of A is, of course, a large target. Lots of $$$ to be had for, well, free! But we do have plenty of company.

      Probably not wise to be a hacker in Russia hacking Russian banks, Da? Unknown who this group is.

      “$1 million heist on Russian bank started with hack of branch router” Article is at:

      https://arstechnica.com/information-technology/2018/07/prolific-hacking-group-steals-almost-1-million-from-russian-bank/

      More fun can be found at: https://www.group-ib.com/blog/moneytaker

      I check my large $$$ accounts weekly so if something is missing, I will have recourse through the bank to get my money back. Never assume your bank CD or anything “bank” is is just fine and wait a month or more to get a statement. Nip it in the bud and maybe help the bank catch a hacker.

      Anyone here actually had their savings or checking accounts hacked? Brian has warned us about using our bank debit cards (I usually go into the bank to a teller) but I wonder how many folks have had their accounts hacked in some other fashion. Hacker pretending to be U and having the bank help him to your money.

      One of my banks now demands photo ID everytime I take “any” funds out of the account via a teller. They scan the bar code on the drivers license. Been told they caught one person at the branch I bank at using a fake ID.

  24. Putting 2 and 2 together I suspect the work of the MoneyTaker group? https://www.group-ib.com/media/group-ib-moneytaker/

  25. This just proves my points that cyber insurance is not the magic bullet banks think it is!

  26. Regions back has been hacked it appears on this Wednesday. Cant get your balance, “down for maint
    , cant get atm cash…..either.

    Hailing all info.

Leave a comment