MoneyTaker Take Money From A Russian Bank

A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router.

The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia.

Group-IB, a Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at PIR Bank, they collected "irrefutable digital evidence implicating MoneyTaker in the theft."
Group-IB are experts in MoneyTaker tactics because they uncovered the group last December when they published a report on their past attacks.

Experts tied the group to thefts at US, UK, and Russian banks and financial institutions going back as far as 2016. According to Group-IB, the MoneyTaker attacks that hit banks were focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network and the Automated Work Station Client of the Russian Central Bank (AWS CBR) system.

How the Hack unfolded
This is what happened this time as well, according to Group-IB. Hackers infiltrated PIR Bank's network at the end of May via an outdated router at one of the bank's regional branches.

"The router had tunnels that allowed the attackers to gain direct access to the bank’s local network," Group-IB experts said.

"This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks."

Hackers then used the router to infect the bank's local network with malware. They then used PowerShell scripts to gain persistence and carry out malicious operations without being detected. When, finally, the hackers breached PIR Bank's main network, they also gained access to its AWS CBR account, the system they needed to control financial transactions.
On July 3, MoneyTaker used this system to transfer funds from PIR Bank's account at the Bank of Russia to 17 accounts they created in advance. Moments after the stolen funds landed in these accounts, money mules withdrew it from ATMs across Russia.

PIR Bank employees discovered the hack a day later, on July 4, but by that moment it was already too late to reverse transactions.

In typical MoneyTaker fashion, hackers tried clearing logs from infected computers in order to hide their tracks, but Group-IB said they found reverse shells the group used to access compromised computers.

Not the first MoneyTaker Hack in Russia this year
"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," says Valeriy Baulin, Head of Digital Forensics Lab Group-IB. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed."

Group-IB says that at least two of these 2018 hacks of Russian banks have been carried out by the MoneyTaker group.
The group's activities are very hard to track because they tend to use common OS utilities to perform malicious actions instead of relying on actual malware. They also clear logs and study each bank's network and system in advance, even stealing documentation to understand with what they're dealing with.

During its three-year lifespan, it is believed the group stole tens of millions from banks since they started their hacking spree back in 2016. Group-IB says the average losses are of $500,000 per incident in the US and around $1.2 million per incident in Russia.

Past MoneyTaker hacks include 15 US banks, a US services provider, a UK banking software company, 5 Russian banks, and one Russian law firm. 

Bleeping Computer

You Might Also Read: 

Italian Bank Cyber Spy Attacks:

SWIFT Says Bank Cyber Attacks Are Here to Stay:

 

« Trump / Putin Summit Was A Magnet For Hackers
Singapore’s Giant Healthcare Hack »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO Cooperative Cyber Defence Centre (CCDCOE)

NATO CCDCOE's mission is to enhance the capability, cooperation and information sharing among NATO, NATO nations and partners in cyber defence.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

CipherPoint Software

CipherPoint Software

CipherPoint Software provides data-centric auditing and protection solutions for securing unstructured information

Luxar Tech

Luxar Tech

Luxar's network visibility products enable enterprises and service providers to monitor network traffic, improve security and optimize efficiency.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

Agari

Agari

Agari is the Trusted Email Identity Company™, protecting brands and people from devastating phishing and socially-engineered attacks.

SailPoint

SailPoint

SailPoint provides identity governance solutions with on-premises and cloud-based identity management software for the most complex challenges.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

Responsible Cyber

Responsible Cyber

Protect yourself with Responsible Cyber’s 360° platform, IMMUNE, arming you with comprehensive support for your business.

Datenschutz Schmidt

Datenschutz Schmidt

Datenschutz Schmidt is a service provider with many years of experience, we support you in complying with numerous data protection guidelines, requirements and laws.

Ankura Consulting Group

Ankura Consulting Group

Ankura is a global expert services and advisory firm that delivers services and end-to-end solutions in a wide range of areas including cybersecurity and digital transformation.

GrayMatter

GrayMatter

GrayMatter provides Advanced Industrial Analytics, OT Cybersecurity, Digital Transformation and Automation & Control services to clients across the U.S. and Canada.

NewEvol

NewEvol

Don’t React, Evolve! Outsmart threats with real-time AI-powered dynamic defense capability of NewEvol all-in-one cybersecurity platform.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.

Gibbs Consulting

Gibbs Consulting

Gibbs Consulting provides innovative, flexible, on-demand IT Services and IT Consulting that delivers value and successful outcomes for our clients.

ZehnTek

ZehnTek

ZehnTek is a premier technology solutions provider, committed to offering comprehensive IT services tailored to meet the diverse needs of businesses.