Hacker group, MoneyTaker, stole $1m from Russian bank PIR, transferring the money to 17 accounts at other major Russian banks and before cashing out. Group-IB were hired to respond to the incident and limit the damage, and it is thought that the withdrawal of the stolen funds means most of the money is lost to PIR Bank.
Group-IB confirmed that the attack on PIR Bank started in late May 2018, with the hackers gaining access to the bank by compromising a router used by one of the bank's regional branches. In a press release, the company said: "The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.
“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response, this was detected by Group-IB employees and removed by the bank’s sysadmins.”
Back in 2017, Group-IB confirmed that 20 companies across the globe had already fallen victim to the hacking group. Conducting successful attacks on financial institutions and legal firms in the USA, UK, and Russia, the group had been primarily targetting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT (US).
The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a US bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost four months and only attacked banks in Russia in September 2016. In these instances, its target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the US. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.
According to a blog on the company's website, MoneyTaker constantly changes its tools and tactics to bypass anti-virus and traditional security solutions. Most importantly, they carefully eliminate their traces after completing their operations, resulting in the group going largely unnoticed. The group has been active since around spring 2016 when they stole money from a US bank after gaining access to the card processing system.
“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible," Olga Kolosova, Chairperson of the Management Board, PIR Bank LLC. "At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents.”