Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“MoneyTaker” Hackers Stole $1 Million From Russian Bank

A cybercriminal group referred to as

A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from PIR Bank (Russia), according to cybercrime research firm Group-IB.

The theft was performed on July 3 through the Russian Central Bank’s Automated Workstation Client, an interbank system similar to SWIFT. The hackers managed to transfer the funds to 17 accounts at major Russian banks and then cashed them out.

After the incident, the cybercriminals also attempted to maintain persistence in the bank’s network, but were detected. While PIR staff was able to delay the withdrawal of some of the funds, it appears that most of what was stolen has been lost, namely around $920,000 (which is a conservative estimate, according to Group-IB).

Group-IB, which analyzed the incident, says that all evidence points to the MoneyTaker group orchestrating the theft. The investigators discovered tools and techniques previously associated with the group, along with the IP addresses of their command and control (C&C) servers.

The security firm previously reported that MoneyTaker had launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years. The group has been mainly focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US).

 The security researchers established that the attack on PIR Bank started in late May 2018 and that a compromised router of one of the bank’s regional branches was used as entry point.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,” the researchers say.

The hackers breached the bank’s main network and accessed the AWS CBR, then generated payment orders and sent money to mule accounts prepared in advance. Funds were transferred to accounts at 17 of the largest banks and were immediately cashed out by money mules via ATMs.

Advertisement. Scroll to continue reading.

The bank employees discovered the unauthorized transactions with large sums on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys, but weren’t able to stop the financial transfers in time. Thus, the hackers managed to cash out most of the stolen money.

The attackers also cleared OS logs on compromised computers, to hinder analysis. They also left reverse shells onto the bank’s computers to conduct new attacks, but these were discovered during investigation and removed.

Attacks on AWS CBR are not easy to implement, Valeriy Baulin, Head of Digital Forensics Lab Group-IB, says. Thus, such attacks are “not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully.”

“This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind,” Baulin said.

Related: Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says

Related: North Korea-Linked Hacker Group Poses Serious Threat to Banks: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Matthew Cowell has assumed the role of VP of Strategic Alliances at Nozomi Networks. He previously served in the same role at Dragos.

Bret Arsenault is retiring from his full-time role after 35 years at Microsoft.

Social engineering defense platform Doppel has appointed Bobby Ford as Chief Strategy and Experience Officer.

More People On The Move

Expert Insights