Hacker gangs go after the money—and the data


TALK TO BANKERS and some will tell you that when it comes to cyber-crime, they are second only to the military in terms of the strength of their defences. And yet trawl the dark Web, as Intel 471, an intelligence firm, did on behalf of The Economist in May, and it is obvious that attempts to breach those walls are commonplace. One criminal was detected trying to recruit insiders within America’s three biggest banks, JPMorgan Chase, Bank of America and Wells Fargo, offering a“seven-to-eight-figure”weekly payment to authorise fraudulent wire transfers. Another was auctioning the details of 30 m accounts at Bank Mellat in Iran (a country of 83 m).

和银行家聊一聊,他们中一些人会告诉你,在防范网络犯罪方面银行的防御力量仅次于军队。然而,就像情报公司 Intel 471 受本刊委托在 5 月所做的,搜查暗网会发现,试图突破银行防御的攻击显然很普遍。一名犯罪分子被发现试图从美国最大的三家银行——摩根大通、美国银行和富国银行——招募内部人员,以每周「七到八位数」的高价让他们批准欺诈性电汇。另一名犯罪分子在网上拍卖伊朗国民银行(Bank Mellat)3000 万个账户的信息,伊朗的总人口也就 8300 万。

Such activity represents the handiwork of a new breed of bank robber. Forget the hold-ups of yore. Today’s smartest hackers are likely to be backed by rogue states, such as North Korea and, to a lesser extent, Iran, or tolerated by countries such as Russia and China. They benefit from unprecedented resources and protection from law-enforcement agencies. As well as attempting to empty accounts, they also target data for insider trading.


As one of the first industries to offer online transactions, banks have been fending off hackers since the dawn of the internet. They spend more on cyber-security than any other sort of firm—$2,691 per employee—and manage to foil a lot of the attempted thefts. Nonetheless, since 2016, no industry has suffered more from attacks than banks (see chart).

作为最早提供在线交易的行业之一,银行自互联网诞生之日起就一直在抵御黑客。它们在网络安全上的投入比其他任何类型的企业都要多(平均每个员工的网络安全支出为 2691 美元),并成功挫败了许多盗窃企图。尽管如此,自 2016 年以来,银行业遭受的网络攻击仍多过任何其他行业(见图表)。

Speaking to Congress in May, Jane Fraser, who runs Citigroup, a Wall Street giant, called hacks the biggest threat to America’s financial system. Jamie Dimon of JPMorgan Chase has said they could become“an act of war”。The result is that banks are under constant pressure to prepare for the worst.“It’s not a matter of‘if’,it’s a matter of‘when’,”says the head of cyber-security at a central bank. The bankers need to know the methods and motives of their enemies. What have they learned and can they remain a step ahead?

5 月,华尔街巨头花旗集团的老板简・弗雷泽(Jane Fraser)在出席国会听证会时表示,黑客攻击是美国金融体系面临的最大威胁。摩根大通的杰米・戴蒙(Jamie Dimon)曾表示,黑客袭击可变成「战争行为」。结果是银行一直承受着为最坏情况做好准备的压力。「这不是『如果』的问题,而是『何时』的问题。」一家央行的网络安全负责人说。银行家需要了解敌人的手段和动机。那么他们已经了解到了些什么?能否先敌一步呢?

As in other industries, attempts to rob banks online generally start with“phishing”,or tricking an employee into downloading a benign-looking software, known as a“Trojan”,that, once installed, creates a backdoor for other viruses to infect the company’s systems. The ruses can be elaborate. In 2019, when hackers infiltrated Redbanc, an interbank network connecting Chile’s ATM system, they faked a lengthy hiring process, complete with rounds of video interviews, just to fool one victim into downloading and running a Trojan.

与对其他行业发动的攻击一样,在网上抢劫银行通常都从「网络钓鱼」开始,也就是诱骗某个员工下载看似无害的软件。一旦安装了这种「特洛伊木马」,它就会为其他病毒创建后门,从而感染公司的整个系统。整个诡计可能煞费苦心。2019 年,黑客入侵连接智利 ATM 系统的银行间网络 Redbanc 时,伪造了一个包括多轮视频面试的漫长招聘过程,只为骗到一名受害者下载并运行特洛伊木马。

Once the backdoor is installed, the hackers have numerous modi operandi. These have evolved over time. In the early to mid-2010 s a popular tactic was to alter banks’databases to inflate balances on existing accounts in order to drain them with fraudulent online transfers. Another was to steal the names and passwords of employees authorised to access SWIFT, the interbank messaging system that banks use for international transfers, in order to make fraudulent transfers to the robbers’own bank accounts. In the world’s biggest cyber-heist, in 2016, thieves transferred funds from an account the Bangladeshi central bank held at the Federal Reserve Bank of New York to banks in the Philippines, Sri Lanka and other parts of Asia. They stole $81 m.

一旦安装了后门,黑客就有很多种作案手法。这些手法还在不断发展。2010 年之后的几年里,流行的手法是更改银行的数据库,增加现有账户的余额,通过欺诈性在线转账抽空这些账户。另一种方法是窃取有权使用 SWIFT(银行在国际汇款时使用的银行间消息系统)的员工的用户名和密码,以向黑客自己的银行账户发起欺诈性转账。在 2016 年世界上最大的网络黑客盗窃案中,窃贼将孟加拉国央行在纽约联邦储备银行账户里的资金转到了菲律宾、斯里兰卡和亚洲其他地区的银行。他们共盗取了 8100 万美元。

Ransomware attacks, such as those common elsewhere in business, are on the rise. But banks are exposed in other ways, too. One example is“jackpotting”,where malware manipulates ATMs into spitting out lots of cash, accessible to fake cards, even if no funds exist. Thieves then hire packs of money mules, typically from local mafias, to stage multiple withdrawals at once. Using such methods, in 2018 criminals got away with $13.5 m from India’s Cosmos Bank through 15,000 cash-machine withdrawals in just two hours.

在其他商业领域常见的勒索软件攻击行为正在增加。但银行还面对一些其他的攻击方式。比如「吐钞攻击」:用伪造的银行卡通过恶意软件操纵 ATM 机吐出大量现金,哪怕这些假卡里根本没有钱。然后窃贼会雇用一帮「钱骡子」同时多次取款,这些「钱骡子」通常都是当地的黑帮成员。2018 年,犯罪分子通过这种方法在短短两个小时内从印度 Cosmos 银行的 ATM 机上取款 1.5 万次,窃得 1350 万美元。

Another tactic is to turn websites that banks visit regularly into poisoned“watering holes”,most infamously in 2017 when criminals successfully targeted 104 mostly financial firms in 31 countries, including seven banks in Britain and 15 in America. In this case the websites of central banks in Poland, Mexico and others were booby-trapped so that banks would download malicious files and infect themselves with malware. These could be used to spy on the banks, steal their data and ultimately make fraudulent transfers (though in most cases the intrusion appears to have been discovered before money was stolen).

另一种手段是将银行定期访问的网站变成有毒的「水坑」,最臭名昭著的水坑攻击发生在 2017 年,犯罪分子成功攻击了 31 个国家的 104 家企业,其中大多数是金融机构,包括七家英国银行和 15 家美国银行。在这次攻击中,波兰、墨西哥和其他一些国家的央行网站被设下水坑陷阱,引导银行下载恶意文件,进而感染自己的系统。通过这些恶意软件可以监视银行,窃取它们的数据,并最终发起欺诈性汇款(尽管在大多数情况下,银行似乎都在资金被盗之前发现了系统被入侵)。

Sometimes it is data, not money, that the robbers are after. The latest trick is to steal financial-market data from within banks in order to facilitate insider trading. A survey by VMware, a cyber-security firm, of 126 financial firms worldwide found that 51% saw a rise in such attacks last year. Portfolio managers in America and Britain that were recently breached saw suspicious activity whenever they were about to trade, says Tom Kellermann, the firm’s strategy boss.

有时,窃贼瞄上的是数据而不是钱。他们最新的伎俩是从银行内部窃取金融市场数据,便于他们进行内幕交易。网络安全公司威睿(VMware)对全球 126 家金融公司展开的一项调查发现,51% 的公司去年遭受的此类攻击有所增加。威睿的战略主管汤姆・凯勒曼(Tom Kellermann)表示,近期受过黑客入侵的美国和英国投资组合管理公司在每次交易前都会发现可疑活动。

The multiplicity of methods is compounded by the malevolence of those involved. Originally heists were mostly conducted by private thieves from former Soviet states. They included Carbanak, a notorious syndicate that stole over $1 bn from 100 banks after 2013 (its masterminds were arrested in 2018). But since America cut North Korea out of its financial system in 2017, the hermit state has doubled down on its relationship with criminal gangs as a way of“making profit and evading sanctions”,says Michael D’Ambrosio, a top investigator in America’s secret service. Variously named Lazarus, Bluenoroff or BeagleBoyz, such state-sponsored entities have access to vastly more resources and personnel than mere criminals. Their members often live under cover in Russia and China, says Mark Arena of Intel 471. An indictment by America’s Department of Justice published in January accuses two individuals, linked to a North Korean military intelligence agency, of attempting to steal more than $1.3 bn via cyber-enabled bank heists and ATM raids, as well as extorting cryptocurrency companies.

作案手法之多,再加上参与其中的势力抱持的恶意,让情况更为复杂。最初的网络大盗主要是前苏联国家的民间窃贼。其中包括臭名昭著的卡巴纳克(Carbanak)黑客组织,它在 2013 年之后从 100 家银行窃得 10 亿多美元(其主谋于 2018 年被捕)。但自美国于 2017 年将朝鲜从其金融体系中孤立出去之后,这个隐秘国家加大了与犯罪团伙的联系,借此「牟利并逃避制裁」,美国特勤局高级调查员迈克尔・丹布罗西奥(Michael D』Ambrosio)说。比起一般的犯罪分子,Lazarus、Bluenoroff 或 BeagleBoyz 等名目繁多、受国家支持的黑客组织能获得的资源和人力要多得多。组织成员经常隐匿在俄罗斯和中国,Intel 471 的马克・阿雷纳(Mark Arena)表示。根据美国司法部 1 月公布的一份起诉书,美国已指控两名与朝鲜军事情报机构有关联的人员意图通过网络银行抢劫、入侵 ATM 机及敲诈加密货币公司的方式窃取超过 13 亿美元的传统货币和加密货币。

Moreover, rogue states often form joint ventures with private gangs. One of them, a Russian-speaking outfit that operates an infamous Trojan-for-hire called Trickbot, provides access to many infected computers. Some cyber experts were shocked recently when they found that it had been used in conjunction with North Korean malware in recent attacks.

此外,流氓国家经常与犯罪团伙联手。其中一个讲俄语的组织运行着一个名为 Trickbot 的可自定义木马程序,这个臭名昭著的程序允许攻击者访问众多受感染的计算机。一些网络专家近来震惊地发现,这一程序与朝鲜的恶意软件一道部署在近年的网络攻击中。

It is not clear how much money drains out of the back door. Numbers crunched by Advisen, a consultancy, suggest banks have lost about $12 bn to cybercrime since 2000, around three-quarters of which have come from data breaches. Studies suggest every hour of business interruption costs a bank $300,000 on average; a typical data breach causes losses of $6 m.

尚不清楚有多少资金从后门流出。咨询公司 Advisen 的数据显示,自 2000 年以来,银行因网络犯罪损失了约 120 亿美元,其中约四分之三是因为数据泄露。研究表明,业务每中断一小时,受影响的银行平均损失 30 万美元;一次数据泄露事件通常造成 600 万美元损失。

But banks usually forbid staff from discussing such attacks, and the reported numbers dramatically understate the problem. Though many institutions are obliged to report serious hacks to regulators and, sometimes, customers, rules change frequently and vary across jurisdictions, meaning disclosure is haphazard.


Moreover, initial losses can be dwarfed by second-order effects. The average incident puts 27% of customers at high risk of closing down their accounts at a targeted firm, and sinks companies’share prices by 5-7% on average, says John Meyer of Cornerstone Advisors, a consultancy. A Supreme Court case in Britain this summer could make class-action lawsuits by customers affected by cyber-breaches easier, exposing banks to hundreds of millions of pounds in potential damages.

此外,次级效应可能会让初始损失相形见绌。平均而言,每次网络攻击很可能会让 27% 的高风险客户关闭它们在被攻击公司的账户,并导致公司股价平均下跌 5% 至 7%,咨询公司基石顾问(Cornerstone Advisors)的约翰・迈耶(John Meyer)表示。今年夏天英国最高法院审理的一宗案件可能会让受数据泄漏影响的客户更容易提起集体诉讼,让银行有可能面临数亿计英镑的赔偿。

Not everything is going the criminals’way, though. Forensic firms are doing a good job of attributing attacks to specific hacking groups, and intelligence agencies at linking Web handles to real people. Some gangs are neutralised or caught. In September the American army launched a cyber offensive that weakened TrickBot, the North Korea-backed Trojan. In January Ukrainian police, in an operation with European and American counterparts, arrested the thieves running Emotet, another botnet allegedly responsible for at least $2.5 bn in theft since 2014.

不过,窃贼们也并非高枕无忧。金融取证公司追查具体是哪个黑客组织发动了攻击,情报机构把网名与真人对上号,两者都表现出色。一些团伙被瓦解或抓捕。去年 9 月,美国军方在网上发起攻势,削弱了朝鲜支持的特洛伊木马程序 TrickBot。今年 1 月,乌克兰警方与欧洲和美国警方联合行动,逮捕了运行 Emotet 的网络大盗,Emotet 也是一个僵尸网络,据称自 2014 年以来盗窃了至少 25 亿美元。

Banks strive to build nimbler fortifications and hire friendly“white-hat”hackers to probe their own defences. The biggest are spending more: in June Bank of America said it would invest $1 bn annually to counter mounting threats. A survey by Deloitte found that financial firms spent an average 0.48% of their revenue on cyber-security last year, up from 0.34% in 2019. Applied to the industry’s total revenue in 2020, that would make for $23 bn-worth in spending in America alone.

银行在努力打造更灵活的防御工事,并聘请友好的「白帽」黑客来排查自己的系统。规模最大的那些银行投入更多,比如美国银行就在 6 月表示它将每年投入 10 亿美元应对日益严重的网络威胁。德勤的一项调查发现,金融企业去年在网络安全方面的投入平均占收入的 0.48%,高于 2019 年的 0.34%。按 2020 年金融业的总收入来计算,那么网络安全支出仅在美国就达到了 230 亿美元。

But things may get worse because, firstly, banks’networks are becoming costlier to secure.“We recognise that we’re never going to prevent everything,”says the cyber chief of a top American bank.“So we have to have layered defences that assume multiple defences will fail.”The multiplication of internet-connected devices, the digitalisation of banking, and remote working are offering new points of entry for attackers. Akamai, a security firm that serves eight out of the world’s top ten banks, witnessed 736 m attacks against financial firms’Web-based applications last year, a two-thirds increase from 2019. The expansion of fintech firms without consistent regulation is creating blind spots. And banks’migration to the cloud, on paper deemed more secure, could backfire if it ends up concentrating risk on just a few platforms, says Jano Bermudes of Marsh, an insurance broker.

但情况可能会变得更糟,首先是因为维护银行网络安全的成本越来越高。「我们认识到永远不可能做到无懈可击,」美国一家顶尖银行的网络安全主管说,「所以我们必须做分层防御,假定多道防御都会被突破。」联网设备的增加、银行业数字化和远程办公为攻击者提供了新的突破口。阿卡迈科技(Akamai)是一家网络安全公司,全球十大银行有八家是它的客户,该公司去年见证了 7.36 亿次针对金融企业网络应用的攻击,比 2019 年增加了三分之二。金融科技公司不断扩张但尚没有统一的监管,正在造成许多盲点。而银行向云端迁移虽然理论上说应该更安全,但如果最终导致风险集中在少数几个平台上,可能就会适得其反,保险经纪公司达信(Marsh)的哈诺・伯尔姆兹(Jano Bermudes)表示。

Secondly, the criminals have more resources—both technological and financial—at their disposal. According to security experts, they mainly focus on expelling intruders before they have time to loot. Yet, says one, soon hackers are likely to use artificial intelligence to shorten an attack from start to finish—the“kill chain”in the jargon. Cyber-gangs are also growing rich. Maze, one of them, announced its“retirement”in November after pocketing over $100 m in ransoms in a year. Moreover, up-and-coming criminals are attempting to surf on the top tier’s success. Last autumn, hackers posing as Lazarus and Fancy Bear (an infamous Russian group) threatened over 100 financial firms with distributed denial-of-service attacks, in which“botmasters”mobilise vast networks of infected machines to flood their targets with internet traffic if they do not pay a ransom.

其次,现在罪犯们在技术和资金方面都有更多资源可供调遣。安全专家称,他们主要专注在入侵者未及实施抢劫之前将其驱逐。然而,一位专家表示,黑客很可能很快就会利用人工智能来缩短行话称作「网络攻击链」的整个攻击过程。网络犯罪团伙也越来越有钱。其中一个团伙 Maze 在一年内攫取了超过 1 亿美元的赎金后,于去年 11 月宣布「隐退」。此外,新冒头的势力正在试图借用同行大佬的名头。去年秋天,有黑客冒充 Lazarus 和 Fancy Bear(「奇幻熊」,一个臭名昭著的俄罗斯黑客组织)对 100 多家金融公司发出威胁,如果它们不付赎金,就对它们发出分布式拒绝服务攻击,也就是由「僵尸网络操控者」操纵巨量被感染的计算机网络,用大规模互联网流量淹没目标。

Such hackers can count on thriving secondary markets to monetise their loot. On ToRReZ, an eBay lookalike that The Economist recently visited via an ultra-private browser, credit-card details go for $25 a pop—or four for the price of three. For $4.99, a tutorial offers help in building phishing websites copying those of Barclays, a British bank. Purchases are paid in cryptocurrencies that can be cashed out in bank accounts opened with fake IDs (a driving licence from Tennessee costs $150, for instance). The new bank robbers are as criminally entrepreneurial as ever.

这些黑客可以依靠兴旺的二级市场来将赃款变现。本刊最近通过一个超私密浏览器访问了一个相当于 eBay 的网站 ToRReZ,在这里信用卡账户信息的价格为每张 25 美元,还能买三送一。只需 4.99 美元就可以买到教程,教你创建仿冒英国巴克莱银行的钓鱼网站。支付用的是加密货币,可以通过用假身份证件(比如 150 美元一张的田纳西州驾照)开设的银行账户兑现。新一代银行劫匪在作案道路上冒险进取的精神一如既往

Published since September 1843 to take part in “a severe contest between intelligence, which presses forward, and an unworthy, timid ignorance obstructing our progress.”


Project Che





Continue Reading