19 July 2018

Group-IB is investigating a new daring attack by MoneyTaker: hackers try to steal $1 mln from the bank

Group-IB, one of the global leaders in preventing high-tech crimes and providing high-fidelity threat intelligence and anti-fraud solutions, is conducting incident response on an attack on PIR Bank (Russia), which resulted in the theft of 1 million US dollars, conducted by  MoneyTaker hacking group. Funds were stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders.

According to Kommersant newspaper, PIR Bank lost around $920,000 (which is a conservative estimate) from their correspondent account at the Bank of Russia. PIR Bank officially confirmed the attack initially, adding at that time they were unable to determine the exact amount of losses. PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost. In order to respond to the incident, PIR Bank staff engaged Group-IB.

During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.

Olga Kolosova

Chairman of the Board at PIR Bank

After studying infected workstations and servers at the financial institution, Group-IB forensic specialists collected irrefutable digital evidence implicating MoneyTaker in the theft. In particular, the experts discovered specific tools and techniques that had been used earlier by MoneyTaker to attack banks, as well as the IP addresses of their C&C servers. Recommendations for prevention of similar attacks has been circulated to financial institutions that are Group-IB’s clients and partners, including the Central Bank of Russia. MoneyTaker is a criminal group specializing in targeted attacks on financial institutions, which was investigated by Group-IB experts in December 2017 in their analytic report called MoneyTaker: 1.5 Years of Silent Operations. These hackers are mainly focused on card processing and interbank transfer systems (AWS CBR and SWIFT).


What happened at PIR Bank?

From Incident Response, Group-IB confirmed that the attack on PIR Bank started in late May 2018. The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. This technique was analyzed in detail by Group-IB experts in their December report. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system — they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.
Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.

«This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks — Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) — have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.»

Valeriy Baulin

Valeriy Baulin

Head of Digital Forensics Lab Group-IB


Who are MoneyTaker and why is it so difficult to catch them?

The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost 4 months and only attacked banks in Russia in September 2016. In these instances, their target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the U.S. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.

MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.

It is evident that MoneyTaker is one of the top threat to the banks all over the world. In connection with the incident in PIR Bank, Group-IB gave recommendations to security departments of financial institutions on how to minimize the danger presented by MoneyTaker. Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.

According to the Group-IB report published in December, at that time, MoneyTaker had conducted 16 attacks in the U.S., five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the U.S. amounted to $500,000. In Russia, the average amount of money withdrawn is 1.2 million USD per incident. In addition to money, the criminals steal documents about interbank payment systems needed to prepare for subsequent attacks. Incident response and investigations continue.

Group-IB is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigation of high-tech crimes and intellectual property protection, headquartered in Singapore. The company’s threat intelligence and research centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), Europe (Amsterdam), and Russia (Moscow).

Group-IB’s Threat Intelligence & Attribution system has been named one of the best in class by Gartner, Forrester, and IDC. Group-IB’s Threat Hunting Framework (earlier known as TDS) intended for the proactive search and the protection against complex and previously unknown cyberthreats has been recognized as one of the leaders in Network Detection and Response by the leading European analyst agency KuppingerCole Analysts AG, while Group-IB itself has been recognized as a Product Leader and Innovation Leader. Gartner identified Group-IB as a Representative Vendor in Online Fraud Detection for its Fraud Hunting Platform. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for its Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks with the company’s patented technologies at its core.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 18 years of hands-on experience in cybercrime investigations worldwide and 70,000 hours of cybersecurity incident response accumulated in our leading forensic laboratory, high-tech crime investigations department, and round-the-clock CERT-GIB. Group-IB is a partner of Europol.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.

Report an incident

Get 24/7 incident response assistance from our global team

APAC: +65 3159-3798
Europe: +31 20 226-90-90
EMA: +971 4 508 1605

Thank you for filling out the form! We will get back to you shortly.

We use cookies on the website to make your browser experience more personal, convenient and secure. You may block or manage the use of cookies, however, in some cases they’re essential to make this site work properly. Learn more about cookies in Group-IB Privacy And Cookies Policy.

Report an incident