A Brief of “First Commercial Bank ATM Heist” Investigated by MJIB

A Brief of “First Commercial Bank ATM Heist” Investigated by MJIB

Case profile:

The First Commercial Bank (FCB) reported to the Taiwan Financial Supervisory Commission (FSC) on July 11, 2016 that more than NT$83.27 million (approximately US$2.63 million) was stolen from 41 ATMs at 22 FCB branches in Taiwan.
Related evidence indicates that a total number of 22 suspects from 9 countries (Mainly in East Europe, including Latvia, Estonia, Romania, Moldova, Russia, Belorussia, France, and Australia. See the table attached.)were involved in this high-profile ATM theft. The criminal ring penetrated the FCB intranet and took control of its server remotely. On July 17, 2016, 3 suspects (as “runners”) were apprehended by Criminal Investigation Bureau in Taiwan while other 19 escaped. Based on witness reports and the suspects’ communication records, statements of confession, monitoring footage, and other evidence, a total of NT$77.48 million (approximately US$2.44 million) was recovered and confiscated. The 3 suspects, were indicted for fraud on September 13, 2016 as the Taipei District Prosecutor’s Office wrapped up the 2-month investigation into the heist. The Prosecutor’s Office charged the 3 suspects with offenses of fraudulence, offenses against the computer security based on Taiwan’s Criminal Code, who were also involved in money-laundering, and requested the court impose a 12-year term for each of them.

Execution process and modus operandi:

Execution process:

From May 2016, the criminal ring multiply hacked into FCB intranet and ATM network inserting malicious software to take control of FCB ATMs, which resulted in the alteration of bank records, and planned to steal money from FCB ATMs in Taiwan.
On July 10 and 11, 2016, the 12 scam runners (Berezovskiy Sergey et al.) approached to those targeted ATMs. They contacted the hackers overseas and successfully got the cash more than NT$83.27 million from the ATMs. Then they handed the stolen cash to other 7 suspects (Pencov Nicolae, Colibaba Mihail and Peregudovs Andrejs et al.) to hide and transfer the proceeds.

Modus Operandi:

Through computer forensic identification, the content-related evidence was gathered and analyzed. MJIB found out that an international criminal ring stole money by hacking FCB intranet and inserting malware. Modus Operandi are listed as follows:

A. Hacking the call recording server:

By checking FCB firewall log and filtering the log to outbound connection attempts, MJIB found that the call recording server at FCB London branchhad abnormal connections with an unknown Swiss IP address (IP: 95.183.53.210) on May 31, 2016.
 

B. Penetrating FCB intranet and controlling server remotely:

On May 31, 2016, a criminal ring invaded the call recording server at FCB London branch. They successfully penetrated into FCB intranet and accessed to the information excluded for FCB employees.

Then in June, they took the call recording server at FCB London branch as a relay server to invade NCR server, which would be used to update FCB ATM programs. They logged in the FCB intranet using the administrator’s account and collected the information they need.

C. Distributing, collecting ATM information and deploying the malware:

After taking over the AP server, the criminal ring multiply penetrated and opened the telnet service. From the end of June, 2016, criminal ring members deployed a few abnormal .dms files, executed 86.exe to enter Debug mode and Multi Remote Desktop services, and called cuinfo.exe to ATM hardware information uploading to NCR server by FTP several times.
The criminal ring had intent to commit ATM fraud. Besides the making, deployment, and execution of the related file packages mentioned above to collect the hardware information of the targeted FCB ATMs, they also deployed computer programs “cnginfo.exe”, “cngdisp.exe”, and “cngdisp_new.exe” on the NCR server with FTP service to assist in downloading and executing the cash dispensing program.

D. Execution:

From July 9 to July 11, 12 suspects, Berezovskiy Sergey et al., contacted the criminal ring members who used telnet service to control the call recording server at FCB London branch remotely and penetrated, manipulated the targeted FCB ATMs in Taiwan. Then they executed pre-planted computer programs “cnginfo.exe”, “cngdisp.exe”, and “cngdisp_new.exe”. Berezovskiy Sergey et al. then took and hided the dispensed cash.

E. Destroying the Evidence:

On July 11, the criminal ring inserted the data wiping utility into the call recording server at FCB London branch intending to wipe away the evidence. Then they remotely logged in on the AP server and deployed 5 abnormal file packages to the targeted FCB ATMs, which securely deleted all related records and programs.

Request for further information:

MJIB found that the call recording server at FCB London branch had abnormal connections with an unknown Swiss IP address (IP 95.183.53.210) from 22:36:15 May 31 to July 17, 2016. It’s crucial to get the registration information of this Swiss IP and its related information. Since Taiwan is not a member of Interpol and there is no official tie and no mutual legal assistance agreement between Swiss and Taiwan, MJIB will try to cooperate with other law enforcement agencies such as the National Crime Agency of Britain and FBI for further investigation.

Related news:

• http://news.pts.org.tw/article/334709
• http://money.cnn.com/2016/07/14/news/bank-atm-heist-taiwan/
• http://focustaiwan.tw/news/asoc/201607120010.aspx
• http://www.straitstimes.com/asia/east-asia/thieves-steal-3-million-in-taiwan-atm-heist-with-help-of-malware
• http://www.scmagazineuk.com/three-arrested-for-allegedly-using-malware-to-snag-18mil-from-taiwanese-atms/article/510195/
• http://focustaiwan.tw/news/asoc/201607180027.aspx
• http://www.taipeitimes.com/News/front/archives/2016/07/18/2003651260
• http://focustaiwan.tw/news/asoc/201609130006.aspx
• http://www.taipeitimes.com/News/front/archives/2016/09/14/2003655108