Throughout 2016 some of the most notable reporting on criminal activity targeting the financial sector related to the use of ATM malware by a group of threat actors identified as the “KS Group”, an organized crime group (OCG) believed to be based in Russia. The group adopted a relatively unusual operational methodology in which ATM malware was deployed onto targeted machines ahead of time through a computer network intrusion and then money mules were sent in to activate the malware and collect the cash. However, this type of operation was unusually complex; the majority of reported ATM malware activity has involved mules manually installing malware by physically interacting with targeted machines.

Manual Infection vs. Network Intrusion

The organizational charts below show hypothesized versions of how OCGs would need to be structured in order to conduct different types of ATM malware operations.

Figure 1

Figure 1 – Organizational chart for manual malware deployment.

Figure 2

Figure 2 – Organizational chart for malware deployment through network intrusion.

These models show that deploying malware manually requires a much simpler set-up. However, in this model the mules represent a chokepoint – they are forced to spend far longer interacting with each ATM due to the requirement that they force the machine open and go through an installation process. This also increases their physical exposure and operational risk.

Conversely, the organizational structure for a network intrusion-based operation is complex – the actions of two teams must be coordinated. Moreover, a requirement for specialist personnel to conduct network intrusions is likely to increase operational costs. However, mules are required to spend far less time interacting with each ATM and will not have to engage in obviously suspicious behavior, such as forcing a machine open. This can allow more ATMs to be targeted at once, potentially resulting in a greater sum of money being obtained than would be possible for a physical deployment operation conducted over the same timeframe.

Informing Defender Action

Based on these organizational structures and analysis of previous ATM malware operations, hypothesized operational kill chains for both types of operation have been developed. Understanding the different stages of each operational can enable the identification of key points where defender action can increase attacker operational costs or create opportunities to discover an operation.

Figure 3

Figure 3 – Kill chain for operations where ATM malware is deployed manually.

The simpler nature of this type of operation means that opportunities for defenders to act are likely to revolve around limiting opportunities to gain unsupervised access to ATMs and prioritizing ATM system updates when new vulnerabilities are identified.

Figure 4

Figure 4 – Kill chain for operations where ATM malware is deployed through a network intrusion.

While the more complex nature of this type of operation presents greater number of opportunities for defenders to act, the nature of these opportunities is more fleeting. Mules spending less time interacting with ATMs reduces the likelihood of physical security measures identifying them as acting suspiciously. Furthermore, opportunities for network defenders are heavily dependent on the adoption of best practices across an entire corporate network, a task which can be challenging even for small organizations, let alone multinational banks.


Reporting of criminal activity involving ATM malware has indicated that although significantly more complex to plan and execute, network intrusion based operations like those carried out by the KS Group have the potential to produce very high profits. While beyond the capability of many criminal groups, more sophisticated criminals are likely to take note of the success of this approach in the future. It is, therefore, important for network defenders to take note of how these types of operations have been conducted in the past in order to prepare for and mitigate such attacks.