Anunak (aka Carbanak) Update

In December 2014, Fox-IT in collaboration with Group-IB reported about Anunak, the APT-like criminal group with…

Anunak (aka Carbanak) Update

In December 2014, Fox-IT in collaboration with Group-IB reported about Anunak, the APT-like criminal group with ties to the Carberp group from some years ago. Their attack types include previously unseen direct attacks to Russian bank ATM’s and core financial systems of banks, while focusing on POS malware and credit card counterfeiting in the rest of the world, with their main focus on US retail.

Recently there have been reports about the “Carbanak” criminal group. Many observant individuals asked us about the apparent similarity between Anunak and Carbanak. While the Carbanak report has not yet been disclosed as of yet, for the sake of clarity we would like to answer the most frequent questions we’re getting about Anunak.

Ronald Prins, Fox-IT founder and CTO, says: “Our InTELL team continues to tirelessly monitor these criminal activities. We decided to provide clarity to our customers and followers on this issue. Anunak in itself is bad enough.”

Below is a list of the most frequently asked questions we have received regarding Anunak/Carbanak:

Q: Does Anunak have ties with Carbanak?
A: Yes, basically Anunak is the name the malware author gave to the main malware used in these attacks. Carbanak is the name the AV industry gave to this malware, which is a combination of the words “Anunak” and “Carberp”, as the Anunak malware has used code from Carberp.

Q: Why are the numbers different in the Carbanak reports? Damages and losses are much higher in those reports.
A: In our report we have only mentioned the direct losses we could verify at that time related to banks in Russia. With credit card track data thefts and the loss rates used by banks for counterfeit credit cards, one can make estimates of losses that would be higher, but it would remain an estimate. Our previous reported loss number excluded losses due to IP theft and damages due to downtime and cleanup too, which are both even harder to make estimates on. Hence the conservative loss number reported by us back in December. Additionally the reports on Carbanak show a different picture, where banks targeted outside of Russia, specifically Europe, USA and Japan are mentioned, which does not match our research.

Q: What happened since your report in December with the Anunak group?
A: Since early December, the group has decreased their activities and might now have even stopped entirely. The exact reason for their break remains unclear, but was already prior to the report Group-IB and Fox-IT released. We have seen several activities which might be somewhat related and we’re investigating these.

Q: Is there anything to worry about?
A: Apart from our initial warning, that the developments by Anunak mark a new step in cybercrime, we don’t have evidence that the group is currently very active, but they might start at any time they want. Another option is that they have started again and we simply have not received any reports and evidence of their new activity.

Q: How about the targets outside of Russia, especially Japan, US and Europe?
A: Without any insight into the evidence Kaspersky has obtained, we can only repeat our view that Anunak has targeted only banks in Russia and we have no concrete reports of compromised banks outside of Russia directly related to this criminal group. The compromises outside Russia related to retail compromises with the goal of obtaining credit card data to create counterfeit credit cards.

Press contacts:

For more information please contact Eward Driehuis or Joost Bijl, email:, tel: +31 (0)15 284 79 99.

Now at Fox-IT

Contact us

+31 (0) 15 284 79 99