Revealed: Here are hacker groups looting banks in Kenya

OnNet Services, a Poland based cyber security firm which foretold theft of Sh11 million at four Barclays Bank Auto Teller Machines (ATM) over the Easter holiday, has linked three local hacker communities to bank heists in Kenya.

The agency had on April 17 through a tweet warned that a hacker cartel going by the name SilentCards was targeting an institution during Easter festivities.

"We believe this threat actor is still active in different infrastructures and is planning to attack another institution this Easter by running huge transactions. By raising community awareness, we intend to minimize damage and loss to your customers," the firm also published the information on its blog two weeks ago.

OnNet Group chief technology innovator Stephanie Neringa told the Star that they despite their efforts to warn as many banks, the hackers have several backdoors still open all over banking infrastructures.

The firm has also unearthed information about a server that was used by hackers early last year to loot Sh400 million from a local bank.

"Due to the fact the institution is not our client and has not directly or indirectly contacted us for approval to issue a statement, we can’t name it, rather we can provide details of how such a heist occurred according to our research, observations and intelligence collection,’’ the firm said.

This revelation comes at a time the banking sector is battling cyber security threats as they lose billions of shillings to these faceless thieves.

In March last year, technology firm Microsoft warned Kenya to prepare for a massive exploration of cyber crimes, a month after the National Bank of Kenya confirmed that fraudsters had gotten away with Sh29 million in what was suspected to be a hacking incident.

According to director of cloud strategy at Microsoft Rudiger Dorn, cyber crime cost the global economy Sh600 trillion in 2017, double the cost in a year from 2016.

"We are likely to see an increase in phishing, where hackers obtain account details of employees or individuals through credit cards and banking details to commit a cyber crime,’’ Dorn said.

A CBK and Visa cyber security workshop held early this year  revealed that ignorant customers and rogue bank officers collude with hackers to aid ATM induced cash-outs.

Bevan Smith, head of risk, Visa sub-Saharan Africa, said hackers looking for easy way into banks systems are having a field day using genuine cards.

"Ignorant customers, especially young ones, have become easy targets. A hacker needs a slight security blunder to loot. It is even much easier when genuine customers provide the way and are cleared by rogue employees in the financial sector,’’ Smith said.

In July 2017, CBK introduced cyber security policy guidelines to help banks deal with cyber crimes and prepare for emerging threats.

Banks are required to compile and file annual reports with the regulator detailing how they plan to curb cyber security threats.

Last year, the regulator widened the scope to mobile money transfer networks which are demanded to notify CBK within 24 hours of any cyber security incident.

SilentsCards is a home grown cyber cartel which sprung from Forkbombo Group which terrorised local banks in 2016 and 2017 before being quelled by a multi-agency team of experts from Kenya Revenue Authority, Banking Fraud Unit and Cyber Crime Unit.

Forkbombo was given this name because during 2016 to 2017, they used [email protected] to receive keylogger data after infecting a machine with the keylogger variant that they wrote in-house.

This led to the arrest of some of its members including 35-year-old Calvin Otieno Ogalo, a former police officer and bank employee believed to be the gang leader.

Also arrested were two American citizens who have since been deported.

In 2016, the Cybercrime Investigations Unit said Kenya lost more than Sh17 billion to hackers, with theft of credit or debit card data, financial scams, bank salami attacks and hacking of mobile banking systems being biggest targets.

Police said the suspected cyber criminals were working with insiders and relatives of prominent politicians and that they had formed an international band that installed malware into systems, allowing them to take control of organisations’ computers and steal hundreds of millions.

This saw the Global Threat Index rank Kenya at position 69 out of the 127 countries that are vulnerable to cybercrime.

According to OnNet, the SilentCards started robberies late 2017, inheriting the old version key logger used by Forkbombo and perfected it for collection of key logger data in a targeted environment.

"The latest code used in several banks, after reversing has the main Def as OnKeyBoardEvent() and the file is usually saved up as tech_kg.py,’’ OnNet said.

Investigators from OnNet observed that those hackers mostly target card center servers by looking for the server owners and collecting their credentials.

 Most organizations are said to have default passwords they set up for users. Those cyber criminals use three different default passwords including admin123, welcome1 and secret123 to try to enter banks.

Report shows that that just like Forkbombo group, SilentCards also target information servers, copy and evaluate audit reports to plan future attacks.

After collecting as many credentials as they could, those hackers moved Sh400 million in batches, crediting fictitious accounts, then accessed either via VISA/MasterCard overseas or with use of Mobile Money Transfers.

Unlike Forkbombo which has several money mules, SilentCards relies a lot on foreigners for quick transactions outside the country.

Those hackers are known to specialize in python scripts to create quick tools for exploitation phase of an environment.

They are also known to use opensource tools like Empire, Metasploit, DeathStar, Bloodhound, CrackMapExec, Aesshell, XmultiShell, CHAOS and Katoolin.

It is believed that SilentCards joined with another upshot GrapZone late last year to regroup into Forkbombo.