Cyber Incident Victim: The National Bank of Blacksburg
Date:
May 2016
Location:
United States of America
Summary
A Virginia-based financial institution suffered two cyber intrusions via phishing emails within eight months, enabling attackers to install malware and compromise systems controlling debit card transactions and account management. The hackers disabled fraud protections, manipulated withdrawal limits, and stole over $569,000 in the first incident by exploiting ATMs during a holiday closure. In the second breach, they fraudulently credited accounts, withdrew $1.8 million, and deleted transaction records. Forensic investigations linked both attacks to Russian-origin tools, suggesting the same threat actor group. The bank’s insurer denied full coverage under an $8 million cybercrime policy, applying a $50,000 debit card rider limit instead, prompting a lawsuit disputing the proximate cause of losses tied to system compromises rather than card misuse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The National Bank of Blacksburg experienced two cyber intrusions between May 2016 and January 2017, resulting in combined losses exceeding $2.4 million. The initial breach occurred on May 28, 2016, when attackers compromised an employee workstation through a phishing email, installing malware that enabled access to a second computer connected to First Data's STAR Network. This system managed customer debit card transactions, ATM functionality, and fraud protections. During the three-day attack period spanning Memorial Day weekend, hackers disabled security controls including PIN verification, daily withdrawal limits, and fraud scoring systems. They orchestrated cash withdrawals from hundreds of ATMs across North America, extracting $569,000 from customer accounts before detection. Forensic analysis by cybersecurity firm Foregenix identified Russian-based internet addresses associated with the attack tools and activities. In response, the bank implemented FirstData-recommended "velocity rules" in June 2016 to flag repetitive transaction patterns occurring within short timeframes.
Eight months later in January 2017, attackers breached the bank again using another phishing email. This intrusion provided broader system access, compromising both the STAR Network and a workstation running Navigator software used to manage customer account credits and debits. Between January 7-9, 2017, hackers fraudulently credited over $2 million to customer accounts, disabled security protocols, and conducted coordinated ATM withdrawals while actively monitoring compromised accounts through the bank's systems. They deleted evidence of fraudulent debits post-operation, resulting in $1,833,984 in losses. Verizon's forensic investigation attributed this attack to Russian-origin tools and servers, concluding the same threat actors were responsible for both incidents. The attackers initially compromised systems via malware embedded in a malicious Microsoft Word document. The bank's insurer, Everest National Insurance Company, later contested coverage under an $8 million computer crime policy, asserting both incidents fell under a $50,000 debit card rider due to exclusions involving ATM disbursements. This dispute led to a July 2018 lawsuit where the bank argued losses stemmed proximately from computer intrusions rather than card usage alone. Total confirmed financial impact reached $2,402,984 across both events, with unresolved insurance litigation regarding coverage applicability.