According to Group-IB researchers, the MoneyTaker group has stolen nearly $1 million from Russian PIR Bank, using a flaw exploited in an outdated router.
Following the theft on July 3, cybersecurity company Group-IB was called in to assist with the bank’s incident response. The company concluded that Russian (or at least Russian-speaking) hacker group ‘MoneyTaker’ was responsible for the attack.
Group-IB’s findings indicate that the attack began late in May 2018 with the compromise of an outdated Cisco router, support for which ended in 2016. The router, used by one of the bank’s regional branches, had tunnels which enabled the hackers to gain direct access to the bank’s local network – a tactic which Group-IB notes has been used by MoneyTaker in the past on several occasions.
The hackers were then able to gain access via the bank’s main network to AWS CBR (Automated Work Station Client of the Russian Central Bank, a system similar to SWIFT), and send payments to 17 mule accounts at major Russian banks, which in most cases were cashed out immediately.
PIR Bank employees noticed the unauthorised transactions on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys; however, they were unable to block the transactions in time. Group-IB reported that “PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost”.
Initial reports valued the amount stolen at $920,000, which Group-IB describes as “a conservative estimate”.
Group-IB also noted that the hackers cleared OS logs on many computers in an attempt to hinder investigations, and had left behind ‘reverse shells’, which connected the bank’s network to the hackers’ servers in preparation for subsequent attacks. Both of these tactics are consistent with MoneyTaker’s M.O., Group-IB said. The reverse shells were removed following their detection.
“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible,” said Olga Kolosova
Chairman of the Board at PIR Bank. “At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.”
Group-IB has been investigating the group for some time now, and in December 2017 had confirmed 20 companies as MoneyTaker victims, with 16 attacks on US-based organisations, three on Russian banks and one on a British banking software company. The group’s first recorded attack took place in spring 2016, in which it targeted a U.S. bank.