Cyber Incident Victim: Carbanak Gang

In August 2016, a cybercrime group widely attributed to the Carbanak Gang (also known as Anunak) breached at least six point-of-sale (PoS) system providers, including Oracle's MICROS division and five others: Cin7, ECRS, Navy Zebra, PAR Technology, and Uniwell. The attackers first exploited vulnerabilities in the vendors' servers, with evidence suggesting at least one breach leveraged a recently discovered flaw in third-party Apache web server software. After compromising these systems, they deployed malicious code designed to harvest login credentials from databases or operating systems, intending to use stolen passwords to gain remote access to retailers' PoS terminals. The collective breach impacted over 1 million PoS devices globally, given MICROS alone served 330,000 businesses while Uniwell reported 500,000 deployed terminals. Four of the five non-Oracle vendors confirmed varying degrees of compromise when contacted by FORBES, with one investigation ongoing. ECRS disclosed attackers infiltrated its myECRS customer portal—used for documentation access and software downloads—though the company asserted segregated systems prevented direct access to credit card processing infrastructure. Cin7 identified password-targeting malware on one server but found no immediate evidence of data exfiltration. Navy Zebra confirmed discovery of two backdoors despite claiming no "private data" storage, while PAR Technology characterized its breach as "non-material" with no production data exposure. Uniwell reported only public documentation was accessed but opted to decommission its vulnerable web server. All affected vendors initiated password resets, malware removal, and law enforcement notifications, with ECRS planning a portal rebuild.

The incidents were linked to Carbanak-associated threat actors through forensic evidence, including use of infrastructure previously tied to the group and malware tooling overlaps. Security researchers noted Carbanak had evolved into a malware suite employed by multiple Russian-speaking cybercrime crews, sometimes deployed alongside Dridex banking trojans for initial infiltration before surgical application against high-value targets. Alex Holden of Hold Security obtained direct evidence from the attackers, including server backdoor credentials, and observed them selling access to compromised systems—such as Navy Zebra's infrastructure—through English-speaking intermediaries. The gang shifted focus to PoS providers after years of credit card dump sales and botnet operations, recognizing vendors as gateways to vast retailer networks. While no confirmed data theft occurred in these breaches, the pattern mirrored prior Carbanak-linked attacks against Staples (1.16 million cards compromised in 2014), Sheplers, and Bebe. Kaspersky Lab analysis indicated the group had recently expanded targeting to include corporate accounting systems, demonstrating adaptability in monetization strategies. Oracle attributed its MICROS breach to legacy systems and mandated customer password changes, though full scope remained unclear. The coordinated attacks highlighted systemic supply chain risks in the PoS ecosystem, with compromised vendors enabling potential downstream breaches across hundreds of thousands of retail and hospitality endpoints.