MoneyTaker Take Money From A Russian Bank

Uploaded on 2018-08-02 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router.

The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia.

Group-IB, a Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at PIR Bank, they collected "irrefutable digital evidence implicating MoneyTaker in the theft."
Group-IB are experts in MoneyTaker tactics because they uncovered the group last December when they published a report on their past attacks.

Experts tied the group to thefts at US, UK, and Russian banks and financial institutions going back as far as 2016. According to Group-IB, the MoneyTaker attacks that hit banks were focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network and the Automated Work Station Client of the Russian Central Bank (AWS CBR) system.

How the Hack unfolded
This is what happened this time as well, according to Group-IB. Hackers infiltrated PIR Bank's network at the end of May via an outdated router at one of the bank's regional branches.

"The router had tunnels that allowed the attackers to gain direct access to the bank’s local network," Group-IB experts said.

"This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks."

Hackers then used the router to infect the bank's local network with malware. They then used PowerShell scripts to gain persistence and carry out malicious operations without being detected. When, finally, the hackers breached PIR Bank's main network, they also gained access to its AWS CBR account, the system they needed to control financial transactions.
On July 3, MoneyTaker used this system to transfer funds from PIR Bank's account at the Bank of Russia to 17 accounts they created in advance. Moments after the stolen funds landed in these accounts, money mules withdrew it from ATMs across Russia.

PIR Bank employees discovered the hack a day later, on July 4, but by that moment it was already too late to reverse transactions.

In typical MoneyTaker fashion, hackers tried clearing logs from infected computers in order to hide their tracks, but Group-IB said they found reverse shells the group used to access compromised computers.

Not the first MoneyTaker Hack in Russia this year
"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," says Valeriy Baulin, Head of Digital Forensics Lab Group-IB. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed."

Group-IB says that at least two of these 2018 hacks of Russian banks have been carried out by the MoneyTaker group.
The group's activities are very hard to track because they tend to use common OS utilities to perform malicious actions instead of relying on actual malware. They also clear logs and study each bank's network and system in advance, even stealing documentation to understand with what they're dealing with.

During its three-year lifespan, it is believed the group stole tens of millions from banks since they started their hacking spree back in 2016. Group-IB says the average losses are of $500,000 per incident in the US and around $1.2 million per incident in Russia.

Past MoneyTaker hacks include 15 US banks, a US services provider, a UK banking software company, 5 Russian banks, and one Russian law firm. 

Bleeping Computer

You Might Also Read: 

Italian Bank Cyber Spy Attacks:

SWIFT Says Bank Cyber Attacks Are Here to Stay:

 

« Trump / Putin Summit Was A Magnet For Hackers
Singapore’s Giant Healthcare Hack »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Blueliv

Blueliv

Blueliv is a leading provider of targeted cyber threat information and intelligence. We deliver automated and actionable threat intelligence to protect the enterprise and manage your digital risk.

Junglemap

Junglemap

Junglemap provide nanolearning training courses on ransomware, information security and GDPR.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

Partnership for Conflict, Crime and Security Research (PaCCS)

Partnership for Conflict, Crime and Security Research (PaCCS)

PaCCS delivers high quality and cutting edge research to improve our understanding of current and future global security challenges in areas including cybersecurity.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

Kindus

Kindus

Kindus is an IT security, assurance and cyber security risk management consultancy.

Cyber Intelligence House (CIH)

Cyber Intelligence House (CIH)

Cyber Intelligence House provides risk exposure solutions for a wide range of audiences including companies, government agencies, regulators, investors, law enforcement and consumers.

Future Planet Capital

Future Planet Capital

Future Planet is the impact-led, global venture capital firm built to invest in high growth potential companies from the world's top research centres.

SensCy

SensCy

SensCy is a Trusted Guide for Sensible Cybersecurity for small and medium-sized organizations.

Secjur

Secjur

Secjur is a provider of AI-based compliance tools that aim to put compliance, data protection, information security and whistleblowing on autopilot.

Reken

Reken

Reken are building a new type of AI platform and products to protect against generative AI threats.

Ark Infotech

Ark Infotech

Ark Infotech is a provider of cloud management services, selective support services, and technology solutions.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.

YSecurity

YSecurity

At YSecurity, we simplify compliance, prevent breaches, and help startups scale with confidence. Focus on growth—we’ll handle the security.

Concentrix

Concentrix

Concentrix - the intelligent transformation partner. We help the world’s leading organisations to modernise technology, transform experiences, and solve their toughest business challenges.