Hackers stole almost $1m from a Russian bank earlier this month after breaching its network via an outdated router.
PIR Bank was looted by the notorious MoneyTaker hacking group, according to Group-IB, the Moscow-based security firm called in by the bank to handle incident response.
Funds were stolen on 3 July through the Russian Central Bank's Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. Cybercrooks tried to ensure persistence in the bank's network through "reverse shell" programs in preparation for subsequent attacks, but these hacking tools were detected and expunged before further mischief could be wrought.
According to local reports, PIR Bank lost around $920,000 from their correspondent account at the Bank of Russia. Group-IB describes this as a "conservative estimate".
After studying infected workstations and servers at the bank, Group-IB forensic specialists collected digital evidence implicating MoneyTaker in the theft. The digital footprints from the PIR Bank raid matched the tools and techniques of earlier attacks linked to MoneyTaker.
Group-IB confirmed that the attack on PIR Bank started in late May 2018 with the pwnage of a router used by one of the bank's regional branches.
It explained: "It was Cisco 800 Series Router, with iOS 12.4, which was ended support in 2016... It is impossible to determine which CVE was used, [there is] no syslog or anything like that. It could be [that it was] just simply bruted."
The router had tunnels that allowed the attackers to gain direct access to the bank's local network. This approach has already been used by the group at least three times while attacking banks with regional branch networks, Group-IB said.
When the criminals hacked the bank's main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance. PowerShell scripts were used to automate some stages of the hacking process.
"On the evening of July 4, when bank employees found unauthorised transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time," Group-IB reported. "Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs."
Although the hackers attempted to erase logs and hide their tracks, enough digital evidence was left behind for Group-IB experts to point a finger towards the likely suspects. Recommendations for prevention of similar attacks has been circulated to clients and partners of Group-IB, including the Central Bank of Russia.
Russian hacker clan exposed: They're called MoneyTaker, and they're gonna take your moneyREAD MORE
Cybercriminals are actively targeting Russian banks and the PIR Bank case is far from isolated, Group-IB said.
"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," said Valeriy Baulin, head of the digital forensics lab at Group-IB. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed."
The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a US bank after gaining access to the card-processing system (FirstData's STAR). The group then went quiet for several months before resurfacing in an ongoing series of attacks primarily targeting Russian, US and (occasionally) UK banking organisations.
According to Group-IB, up until December last year MoneyTaker had conducted 16 attacks in the US, five attacks on Russian banks and one attack on a banking software company in the UK. The average damage caused by one attack in the US amounted to $500,000. In Russia, the average amount of money withdrawn is $1.2m per incident. In addition to money, the cybercriminals habitually steal documents about interbank payment systems needed to prepare for subsequent attacks. ®
MoneyTaker isn't the only group of cybercriminals targeting banks in Russia. Two others (Cobalt and Silence) have also been active this year, according to Group-IB.