How Do Hackers Rob Banks?

According to a study published by Positive Technologies, cybercriminals can gain access to financial applications in 58% of banks. While banks have built fairly effective barriers against external attacks, they are often unprepared to counter threats within their internal networks. Once attackers breach the perimeter—using social engineering, web application vulnerabilities, or insider help—they find themselves in an environment with security levels similar to companies in other industries.

Internal Network Vulnerabilities

With access to a bank’s internal network, Positive Technologies experts were able to reach financial applications in 58% of cases. In 25% of banks, attackers compromised nodes that control ATMs, meaning they could potentially withdraw cash using methods similar to the Cobalt group. Transferring funds to their own accounts via interbank transfer systems—targets of groups like Lazarus and MoneyTaker—was possible in 17% of banks.

Card processing systems were insufficiently protected in 17% of banks, allowing criminals to manipulate card account balances, as seen in attacks on Eastern European banks in early 2017. The Carbanak group, known for successfully attacking various banking applications, could have stolen funds from more than half of the banks tested. On average, an attacker who penetrates a bank’s internal network needs only four steps to access banking systems.

Perimeter Security and Penetration Methods

The report notes that banks’ network perimeter defenses are much stronger than those of other companies: over three years of external penetration testing, access to internal networks was achieved in 58% of systems overall, but only 22% for banks. However, this is still far from ideal, given the high financial motivation of attackers and the lack of secure code analysis during the design and development of online services in many banks.

In all penetration tests, web application vulnerabilities enabled access (social engineering was not used). Groups like ATMitch and Lazarus have used similar methods. Remote access and management interfaces also pose significant risks, as they are often accessible to any external user. Common protocols include SSH and Telnet (found on the network perimeter of over half of banks), as well as file server access protocols (in 42% of banks).

The Human Factor: The Weakest Link

Bank employees remain the weakest link. Attackers can bypass network perimeter defenses using simple and effective phishing techniques, delivering malware into the corporate network. Phishing emails are sent to both work and personal addresses of bank staff. Nearly every criminal group—including Cobalt, Lazarus, Carbanak, Metel, and GCMAN—has used this method to breach the perimeter. On average, about 8% of bank users clicked on phishing links, and 2% opened attached files.

The study also cites examples of hacker forum ads offering insider services from bank employees. In some cases, attackers only need the privileges of staff with physical access to network outlets (such as cleaners or security guards). Another initial infection method is hacking third-party companies with weaker security and infecting websites frequently visited by target bank employees, as seen with Lazarus and Lurk.

Escalating Privileges and Moving Laterally

Once inside a bank’s local network, criminals aim to gain local administrator privileges on employee computers and servers to further their attack. Typical attack vectors exploit two main weaknesses: poor password policies and inadequate protection against password recovery from OS memory.

While weak passwords are found on the network perimeter in nearly half of banks, every internal system tested suffered from poor password policies. About half of the systems had weak user-set passwords, but even more common were default accounts left by administrators during the installation of databases, web servers, operating systems, or when creating service accounts. In a quarter of banks, the password “P@ssw0rd” was used; other common passwords included “admin,” combinations like “Qwerty123,” blank passwords, and standard ones such as “sa” or “postgres.”

Inside the network, attackers move freely and undetected using known vulnerabilities and legitimate software that doesn’t raise suspicion among administrators. Exploiting weaknesses in corporate network security, criminals can quickly gain full control over a bank’s entire infrastructure.

How to Protect Against Bank Cyberattacks

“It’s important to understand that an attacker cannot achieve their goal and steal money if the attack is detected and stopped in time, which is possible at any stage if proper security measures are in place,” says Ekaterina Kilyusheva, an analyst at Positive Technologies. “Email attachments should be checked in isolated environments, not relying solely on antivirus solutions installed on user workstations. It’s crucial to receive timely alerts from security systems and respond immediately through continuous security event monitoring by internal or external SOC teams, as well as SIEM solutions, which can significantly improve the efficiency of incident response.”