Cybercrooks slurp nearly $1m from Russian bank after pwning router at regional branch

MoneyTaker lives up to its name

Hackers stole almost $1m from a Russian bank earlier this month after breaching its network via an outdated router.

PIR Bank was looted by the notorious MoneyTaker hacking group, according to Group-IB, the Moscow-based security firm called in by the bank to handle incident response.

Funds were stolen on 3 July through the Russian Central Bank's Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. Cybercrooks tried to ensure persistence in the bank's network through "reverse shell" programs in preparation for subsequent attacks, but these hacking tools were detected and expunged before further mischief could be wrought.

According to local reports, PIR Bank lost around $920,000 from their correspondent account at the Bank of Russia. Group-IB describes this as a "conservative estimate".

After studying infected workstations and servers at the bank, Group-IB forensic specialists collected digital evidence implicating MoneyTaker in the theft. The digital footprints from the PIR Bank raid matched the tools and techniques of earlier attacks linked to MoneyTaker.

Group-IB confirmed that the attack on PIR Bank started in late May 2018 with the pwnage of a router used by one of the bank's regional branches.

It explained: "It was Cisco 800 Series Router, with iOS 12.4, which was ended support in 2016... It is impossible to determine which CVE was used, [there is] no syslog or anything like that. It could be [that it was] just simply bruted."

The router had tunnels that allowed the attackers to gain direct access to the bank's local network. This approach has already been used by the group at least three times while attacking banks with regional branch networks, Group-IB said.

When the criminals hacked the bank's main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance. PowerShell scripts were used to automate some stages of the hacking process.

"On the evening of July 4, when bank employees found unauthorised transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time," Group-IB reported. "Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs."

Although the hackers attempted to erase logs and hide their tracks, enough digital evidence was left behind for Group-IB experts to point a finger towards the likely suspects. Recommendations for prevention of similar attacks has been circulated to clients and partners of Group-IB, including the Central Bank of Russia.

Russian hacker

Russian hacker clan exposed: They're called MoneyTaker, and they're gonna take your money


Cybercriminals are actively targeting Russian banks and the PIR Bank case is far from isolated, Group-IB said.

"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," said Valeriy Baulin, head of the digital forensics lab at Group-IB. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed."

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a US bank after gaining access to the card-processing system (FirstData's STAR). The group then went quiet for several months before resurfacing in an ongoing series of attacks primarily targeting Russian, US and (occasionally) UK banking organisations.

According to Group-IB, up until December last year MoneyTaker had conducted 16 attacks in the US, five attacks on Russian banks and one attack on a banking software company in the UK. The average damage caused by one attack in the US amounted to $500,000. In Russia, the average amount of money withdrawn is $1.2m per incident. In addition to money, the cybercriminals habitually steal documents about interbank payment systems needed to prepare for subsequent attacks. ®


MoneyTaker isn't the only group of cybercriminals targeting banks in Russia. Two others (Cobalt and Silence) have also been active this year, according to Group-IB.

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Walmart accused of turning blind eye to transfer fraud totaling millions of dollars
    Store giant brands watchdog's lawsuit 'factually misguided, legally flawed'

    America's Federal Trade Commission has sued Walmart, claiming it turned a blind eye to fraudsters using its money transfer services to con folks out of "hundreds of millions of dollars."

    In a lawsuit [PDF] filed Tuesday, the regulator claimed the superstore giant is "well aware" of telemarketing fraudsters and other scammers convincing victims to part with their hard-earned cash via its services, with the money being funneled to domestic and international crime rings.

    Walmart is accused of allowing these fraudulent money transfers to continue, failing to warn people to be on their guard, and failing to adopt policies and train employees on how to prevent these types of hustles.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading

Biting the hand that feeds IT © 1998–2022