Cybercriminals part of a notorious hacking group attacked the PIR Bank of Russia and stole $1m. The hacking was carried out after infiltrating the bank’s systems by compromising an old, outdated router. The router was installed at one of the regional branches of the bank. The money was stolen via the Automated Workstation Client (AWC) of the Central Bank of Russia on July 3rd. Just like Swift, AWC is an interbank fund transfer system. The stolen amount was transferred to 17 accounts at leading banks in Russia and already withdrawn.
After withdrawing the amount, cyber-crooks made sure that the bank’s network remains compromised in order to carry out further attacks. However, the flaw got detected and Moscow based forensic investigator team Group-IB was contracted by the bank to probe the attack. It must be noted that the hack attack occurred five weeks after the hacking group firstly acquired access to the network of the bank.
According to Kommersant Newspaper, about $910,000 has been stolen by hackers, believed to be part of a group called MoneyTaker. Security researchers at Group-IB forensics lab, who reported about this group back in November 2017 for the first time, state that its members have so far carried out 20 successful attacks on various financial institutions and law firms across Russia, the United States, and the United Kingdom.
Through the hacks, the group has raked in $14m. 16 of these attacks have been launched against targets based in the US, five attacks on banks in Russia and one on a UK-based banking software firm. Group-IB states that this particular group is among one of the “top threats to banks all over the world.”
Group-IB was able to track down MoneyTaker despite that the group is quite skilled at concealing its malicious acts. The researchers at Group-IB managed to identify the involvement of MoneyTaker by assessing the similarity in techniques, tactics, and procedures used in the campaigns. It was noticed that when the hackers obtain access to a targeted network, the members spend months in trying to gain elevated system privileges so as to reach domain administrator level and remain active within the hacked network much before actually launching the attack.
To attack the network, MoneyTaker uses various free tools that are quite commonly used by hackers as well as security experts, such as, Microsoft’s PowerShell management framework, some Visual Basic Scripts and Metasploit framework.
In the recent attack on PIR Bank of Russia, MoneyTaker used similar tools and IP addresses that it has previously used to attack other banks. The hacker group also uses customized malware including the MoneyTaker v5.0, which is a fileless malware and only exists in the memory of the computer, not on the hard drive.
Group-IB’s head Valeriy Baulin states:
This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.
Ken Hosac, VP of IoT Strategy & Business Development at Cradlepoint also commented on the breach and stated that:
“Software-defined Networking (SDN) enables IoT devices, such as routers, to be deployed on a completely separate network (virtually) that is invisible to the outside world. Traditional networks utilize a “connect first, authenticate second” model that allows hackers to scan networks for devices and their ports using common hacking tools. Those same hacking tools are then used to defeat the authentication.”
“A key benefit of SDN is the model of “authenticate first, connect second”. These networks are completely invisible and inaccessible unless the organization’s IoT devices are first properly authenticated. This means that it is much more difficult for routers to be exploited by hackers,” Hosac explained.
It must be noted that Russia is not the only target of MoneyTaker, last year, it was reported that the group also targeted banks in the United States. On average, MoneyTaker stole a whopping $3 million from three Russian financial institutions while a sum of $500,000 was stolen from banks in the United States. But, the group is not limiting itself to money or banking sector, in fact, MoneyTaker also targeted financial software vendors and law firms.