MoneyTaker Take Money From A Russian Bank

A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router.

The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia.

Group-IB, a Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at PIR Bank, they collected "irrefutable digital evidence implicating MoneyTaker in the theft."
Group-IB are experts in MoneyTaker tactics because they uncovered the group last December when they published a report on their past attacks.

Experts tied the group to thefts at US, UK, and Russian banks and financial institutions going back as far as 2016. According to Group-IB, the MoneyTaker attacks that hit banks were focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network and the Automated Work Station Client of the Russian Central Bank (AWS CBR) system.

How the Hack unfolded
This is what happened this time as well, according to Group-IB. Hackers infiltrated PIR Bank's network at the end of May via an outdated router at one of the bank's regional branches.

"The router had tunnels that allowed the attackers to gain direct access to the bank’s local network," Group-IB experts said.

"This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks."

Hackers then used the router to infect the bank's local network with malware. They then used PowerShell scripts to gain persistence and carry out malicious operations without being detected. When, finally, the hackers breached PIR Bank's main network, they also gained access to its AWS CBR account, the system they needed to control financial transactions.
On July 3, MoneyTaker used this system to transfer funds from PIR Bank's account at the Bank of Russia to 17 accounts they created in advance. Moments after the stolen funds landed in these accounts, money mules withdrew it from ATMs across Russia.

PIR Bank employees discovered the hack a day later, on July 4, but by that moment it was already too late to reverse transactions.

In typical MoneyTaker fashion, hackers tried clearing logs from infected computers in order to hide their tracks, but Group-IB said they found reverse shells the group used to access compromised computers.

Not the first MoneyTaker Hack in Russia this year
"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," says Valeriy Baulin, Head of Digital Forensics Lab Group-IB. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed."

Group-IB says that at least two of these 2018 hacks of Russian banks have been carried out by the MoneyTaker group.
The group's activities are very hard to track because they tend to use common OS utilities to perform malicious actions instead of relying on actual malware. They also clear logs and study each bank's network and system in advance, even stealing documentation to understand with what they're dealing with.

During its three-year lifespan, it is believed the group stole tens of millions from banks since they started their hacking spree back in 2016. Group-IB says the average losses are of $500,000 per incident in the US and around $1.2 million per incident in Russia.

Past MoneyTaker hacks include 15 US banks, a US services provider, a UK banking software company, 5 Russian banks, and one Russian law firm. 

Bleeping Computer

You Might Also Read: 

Italian Bank Cyber Spy Attacks:

SWIFT Says Bank Cyber Attacks Are Here to Stay:

 

« Trump / Putin Summit Was A Magnet For Hackers
Singapore’s Giant Healthcare Hack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Conscio Technologies

Conscio Technologies

Conscio Technologies is a specialist in IT security awareness. Our solutions allow you to easily manage innovative online IT awareness campaigns.

Secure Identity Alliance (SIA)

Secure Identity Alliance (SIA)

The Secure Identity Alliance is dedicated to supporting sustainable worldwide economic growth and prosperity through the development of trusted digital identities and the adoption of secure eServices.

Minerva Labs

Minerva Labs

Minerva’s patent pending solution keeps malware in a constant sleep state before it can infiltrate your network and cause any damage.

Intezer Labs

Intezer Labs

The only solution replicating the concepts of the biological immune system into cyber-security. Intezer provides enterprises with unparalleled Threat Detection and accelerates Incident Response.

Huntsman Security

Huntsman Security

Huntsman Security provides technology to enable real-time security monitoring and immediate visibility of advanced threats and compliance issues.

XTN Cognitive Security

XTN Cognitive Security

XTN is focused on the development of security, Fraud and Mobile Threat Prevention advanced behaviour-based solutions.

National Cyber Security Centre (NCSC) - New Zealand

National Cyber Security Centre (NCSC) - New Zealand

The role of the NCSC is to help New Zealand’s most significant public and private sector organisations to protect their information systems from advanced cyber-borne threats.

AUTOCRYPT

AUTOCRYPT

AUTOCRYPT is a mobility security provider dedicated to the safety of future transportation

NOW Insurance

NOW Insurance

NOW Insurance provides small business owners and other professional classes with a seamless purchasing experience for general liability, professional liability, and cybersecurity insurance coverage.

MicroSec

MicroSec

MicroSec is a company specializing in IoT security. We focus on bringing enterprise grade security to IoT and embedded systems.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Assure IT

Assure IT

Assure IT is a Singapore company specialising in technology governance, risk and compliance.

Tetrate.io

Tetrate.io

Tetrate Service Bridge provides enterprises with a consistent, unified way to connect and secure services across an entire mesh-managed environment.

Persona

Persona

At Persona, we’re humanizing online identity by helping companies verify that their users are who they say they are.

HackersEra

HackersEra

HackersEra is a leading offensive cybersecurity service provider. We enable our clients to operate in a more secure environment efficiently and produce more value.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.