"MoneyTaker" Hackers Stole $1 Million From Russian Bank
22.7.18 securityweek Incindent
A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from PIR Bank (Russia), according to cybercrime research firm Group-IB.
The theft was performed on July 3 through the Russian Central Bank’s Automated Workstation Client, an interbank system similar to SWIFT. The hackers managed to transfer the funds to 17 accounts at major Russian banks and then cashed them out.
After the incident, the cybercriminals also attempted to maintain persistence in the bank’s network, but were detected. While PIR staff was able to delay the withdrawal of some of the funds, it appears that most of what was stolen has been lost, namely around $920,000 (which is a conservative estimate, according to Group-IB).
Group-IB, which analyzed the incident, says that all evidence points to the MoneyTaker group orchestrating the theft. The investigators discovered tools and techniques previously associated with the group, along with the IP addresses of their command and control (C&C) servers.
The security firm previously reported that MoneyTaker had launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years. The group has been mainly focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US).
The security researchers established that the attack on PIR Bank started in late May 18 and that a compromised router of one of the bank’s regional branches was used as entry point.
“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,” the researchers say.
The hackers breached the bank’s main network and accessed the AWS CBR, then generated payment orders and sent money to mule accounts prepared in advance. Funds were transferred to accounts at 17 of the largest banks and were immediately cashed out by money mules via ATMs.
The bank employees discovered the unauthorized transactions with large sums on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys, but weren’t able to stop the financial transfers in time. Thus, the hackers managed to cash out most of the stolen money.
The attackers also cleared OS logs on compromised computers, to hinder analysis. They also left reverse shells onto the bank’s computers to conduct new attacks, but these were discovered during investigation and removed.
Attacks on AWS CBR are not easy to implement, Valeriy Baulin, Head of Digital Forensics Lab Group-IB, says. Thus, such attacks are “not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully.”
“This is not the first successful attack on a Russian bank with money withdrawal since early 18. We know of at least three similar incidents. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind,” Baulin said.