A hacker group codenamed Carbanak has stolen over $1bn from 100 banks in more than 30 regions, according to research from Kaspersky Lab.
The security firm revealed the campaign in a report seen by V3. Carbanak has been active since late 2013 and primarily targets banks in Russia, the US, Germany, China and Ukraine.
Kaspersky has also seen evidence that the operation is expanding to target European institutions.
Carbanak has the hallmarks of an advanced persistent threat (APT) and initially targets victims with spear phishing emails designed to look like legitimate banking communications.
The messages contain malicious Microsoft Word and Control Panel Applet attachments that exploit flaws in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761) to execute the Carbanak backdoor.
The hackers then begin a reconnaissance phase targeting bank employees, particularly systems administrators. The next phase involves siphoning data and recording videos of the staff which are then sent to a C2 server owned by the group.
The hackers use the intelligence to move through the victim's network to gain access to a variety of systems, including money processing services, ATMs and financial accounts.
Once in, the hackers steal money in a variety of ways, including transferring sums to accounts in the US and China using the Swift service.
The hackers also exploit ATM networks to force cash machines to dispense money at specific times for collection by money mules.
Kaspersky reported that the hackers limit each transfer to a maximum of $10m and have hit some banks multiple times.
V3 contacted several banks, including Barclays, RBS and JP Morgan, to see whether they had fallen victim to Carbanak or were taking action to combat the threat. JP Morgan declined to comment.
An RBS spokesperson told V3: "RBS has not been a target of this crime group or this activity."
The campaign's discovery and success rate has led to concerns in the security community.
Imperva CTO Amichai Shulman said that the gang's high success rate proves that banks' existing defence technologies are inadequate.
"Whatever technologies these banks were using to protect themselves failed. It's time to look for new technologies," he said.
"Such an operation resulted in countless acts of internal credential theft and explorations within the bank network.
"Clearly setting up traps within end stations would have triggered multiple alerts over time. Organisations must deploy this new technology."
Paul Glass, senior associate at international law firm Taylor Wessing, agreed but added that new technologies must be complemented with robust employee training.
"This is an extremely sophisticated attack that used a number of methods of obtaining money from a wide range of banks. However, the entry point into the banks was a tried and tested technique - spear phishing," he said.
"This is another example of the importance of education of staff, both to minimise the risk of opening attachments that contain malicious payloads, and to take immediate action if they realise that they have opened a malicious attachment."
Glass expects Carbanak's discovery to lead to action by financial regulators.
"Regulators will want detailed explanations from the affected banks as to how access was obtained, the extent of compromise of each bank's systems, and how such a serious attack went undetected for many months," he said.
Carbanak's campaign follows wider concerns about financial institutions' cyber security.
Darktrace director of technology Dave Palmer reported that hackers breached an unnamed financial service and stole data for six months before being detected in January.
AMD Ryzen CPU release dates, specs and price: AMD hints at Ryzen 7 2800X plan to counter 8-core Intel Coffee Lake CPUs
AMD believed to be holding Ryzen 7 2800X in reserve
BT wants to make the public switched telephone network history within eight years
Personal data being purloined by third parties via Facebook Login API
MacOS and iOS are better off apart, says CEO Tim Cook