The scene

On the evening of July 10th 2016, the Taipei Criminal Investigation Bureau (TCIB) received its first report from a member of the public that an unattended ‘cash out’ of NT$60,000 ($2k) was carried out at an ATM belonging to the First Commercial Bank.

In a matter of hours, it was discovered that over 40 ATM machines had been robbed using malware dubbed the “ATM spitter” which exploited a major software weakness shared by several financial institutions.

The cyber-attack was traced back to a call center operating for a London branch of the First Commercial Bank. An email, purportedly from the European Central Bank, was sent using a “spearfishing” technique to gain access to the First Commercial Bank’s internal network through a third-party service provider.

Once the unsuspecting bank employee downloaded the attachment, the file discreetly exploited MS Office vulnerabilities allowing for malware to gain access and control specific functionalities throughout the infected network. In this case, ATM cash dispensers were specifically targeted.

Two middlemen (A.K.A “money mules”), were organized and sent to trigger the cash dispensers using their phones as the ATMs had already been prepared remotely by the malware. The “money mules” made off with $2.6M in cash that had spewed out of ATM machines but not before some of the members were spotted by local citizens. The cyber attackers had covered their digital tracks by internally deleting evidence files beyond recovery and removing master boot records in order to disable the bank’s internal servers.

The scope and sophistication of the crime immediately put all bank officers and local law enforcement on ‘high alert’ as an urgent search for evidence began. A national sense of panic broke out as 1000 ATM machines were frozen and multiple suspect profiles were circulated by the media.

Case Summary

The middlemen

The “money mules” were composed primarily of Europeans organized into groups of two or three after separately entering Taiwan. After securing local lodging and transportation, they disguised themselves and followed a simple sequence of instructions to extract dispensed cash from the specified ATMs.

After the robbery, each small group dropped off their collected cash at designated locations and left the country.

“This is the first time that an international team of ATM thieves has committed a crime in Taiwan,” Head of the Police’s Criminal Investigation Division, Lee Wen-Chang

“These attacks used malware to reprogram the machines so that a simple button sequence would trigger the out- put of cash.”

Craig Young, Security Researcher in the Vulnerability and Exposures Research Team at the Security Tools Firm, Tripwire

Identifying the suspects

A wide range of digital evidence was examined including data from communication networks, CCTV Images/Videos, biometrics, police reports and items found at the scenes of the crime. Using international roaming data, investigators were able to shortlist several hotels suspected of hosting the persons of interest.

22 suspects were identified by the correlation of these data points. They had come from a variety of countries including Latvia, Russia, Australia, Estonia, Romania, France, Moldova, and Belarus. After the Special Criminal Case Investigation Team discovered the identities of the suspects, arrest notifications were issued and the National Immigration Agency was informed.

The prime suspect’s journey

By analyzing both the potential locations of the suspects and entry/exit records, it was determined that the stolen funds were still in Taiwan. It was further concluded that some of the suspects had not yet left the country, so all levels of police agencies were notified to investigate. The media, in turn, released an image of one initial suspect, known as Peregudovs Andrejs from Latvia, and the nationwide search began.

During the first few days after the crime, Andrejs carried NT$20 million of the stolen cash with him, staying at different rental suites at night and traveling during the day in Taipei.

A Special Investigation Team traced Andrejs’ mobile phone communication records as well as reviewed a local taxi driver’s positive identification of him. When Andrejs had discovered his identity had been compromised, he started disguising himself and strategically hiding his tracks as he made his way to an exit point.

During Andrejs’ escape to Yilan, he avoided using his mobile phone in order to prevent police from tracing his location. Even though he continued changing his physical appearance along the way, he was eventually caught in the open without a disguise while dining at a restaurant.

The accomplice’s journey

After reviewing CCTV footage of the local Taipei station, the police identified two other suspects, Colibaba Mihail of Romania and Pencov Nicolae of Moldova. The men had been filmed carrying away two suitcases from the station’s lockers at the time the public’s attention was focused on the manhunt for Andrejs.

When they later checked into a hotel, police set up a covert monitoring operation and then moved in for the arrests. Police found more than NT$60 million ($2M) contained in their suitcases.

Discovering the criminal’s journey

Using Cellebrite Pathfinder, all seized mobile devices were accessed and analyzed. The digital forensics team discovered that two of the suspects had mutual contacts and shared GPS location logs indicating close proximity to each other at certain points of time leading up to the crime. Furthermore, the suspects had similar travel itineraries that including recent stops in Central Asia, Southeast Asia, and China, before entry into Taiwan.

Incriminating digital evidence was found on all 3 suspect’s phones including photos of large amounts of cash.

It was verified that Andrejs’ current mobile device had recently been purchased in Taipei around the time he was trying to flee the area. As his old mobile phone was also recovered, police found to contain the data records of locations where he had dropped off stolen cash bags.

Search history analysis

By analyzing Mihail and Nicolae’s keyword search records from their mobile phones, it was clear they had searched for information regarding ATMs around the world in April 2016. It was also discovered that in July 2016, before entering Taiwan, they started Taiwan-related search engine research for information such as the maximum cash amount allowed to be carried for customs declaration, the buying of Bitcoin in Taiwan and the regulations concerning the tracking of phone calls in Taiwan.

Searching Mihail’s mobile phone under the keyword “Тайване (Taiwan)”, the team found suspected money laundering conversations from his WeChat, text dialogues that occurred after the operation was exposed and urgent requests to manage the laundering of the stolen money in Taiwan. Photos of a number of passports of suspected accomplices as well as stacks of cash were also

surfaced from the digital investigation.

Sentencing

Based on the strength of physical and digital evidence, the 3 apprehended suspects were convicted in the Taipei court for their involvement in the breach of the First Commercial Bank’s computer security and are now serving 5 years each. The other 19 suspects that fled the country before the arrests are still at large on international watch lists.

In conclusion

Without UFED 4PC and Cellebrite Pathfinder, the Taipei Criminal Investigation Bureau would have spent too many days extracting data and cross-referencing the relationship between all the suspects. Investigators would have lost precious time and not gained a full understanding of the magnitude of the case in the early hours of the investigation.

According to TCIB, this case exemplified a dramatic change from the traditional way of investigation to a new digital intelligence method of analyzing large amounts of data during the critical hours of an investigation. Having these advanced Cellebrite tools, together with trained digital forensics specialists, was the key to a successful investigation.

TCIB is recognized as the leading agency in digital forensics in Taiwan and has been using Cellebrite solutions for more than 4 years now. They are regularly invited to speak to other agencies as experts on digital intelligence and advocating Cellebrite solutions.

Sources

  1. https://www.theregister.co.uk/2016/07/15/taiwan_atm_hack/
  2. https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-  hacking-spree-security-firm-idUSKBN14P0CX
  3. https://www.bbc.com/news/world-asia-38741339
  4. https://www.group-ib.com/media/group-ib-cobalts-latest-attacks-on-banks-confirms-connection- to-anunak/
  5. https://international.thenewslens.com/article/61775
  6. https://en.wikipedia.org/wiki/Group-IB

Share this post