An attack on PIR Bank (Russia) conducted by MoneyTaker hacking group resulted in the theft of a million US dollars, stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT). The money was transferred to 17 accounts at major Russian banks and cashed out. The criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders, the company told SC Media UK in an email.
PIR Bank lost at least £700,000 from its corresponding account at the Bank of Russia reports Kommersant newspaper.
Olga Kolosova, chairperson of the management board of PIR Bank LLC issued a press statement saying: "During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank's operations in the future in order to prevent new similar incidents."
Group-IB forensic specialists collected what they describe as "irrefutable digital evidence implicating MoneyTaker in the theft." This included specific tools and techniques used in previous MoneyTaker attacks on banks, as well as the IP addresses of their C&C servers. These hackers are primarily focused on card processing and interbank transfer systems (AWS CBR and SWIFT).
Group IB reports how the entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is described as characteristic of MoneyTaker and had been used by this group at least three times while attacking banks with regional branch networks.
To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance.
On the evening of 4 July, when bank employees found unauthorised transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.
Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system – they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.
""We know of at least three similar incidents"Valeriy Baulin, head of digital forensics lab Group-IB
The criminals also left some ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.
In a press statement, Valeriy Baulin, head of digital forensics lab Group-IB commented: "This is not the first successful attack on a Russian bank with money withdrawal since early 2018. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specialising in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) – have their own scheme depending on the amounts and cashout scenarios.
"We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when MoneyTaker hackers withdrew about US$ 2 million (£1.5 million) using their own self-titled program, remains one of the largest attacks of this kind."
Group-IB report in December that MoneyTaker had conducted 16 attacks in the US, five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the US amounted to US$ 500,000 (£380,000). In Russia, the average amount of money withdrawn is £900,000 per incident. In addition to money, the criminals steal documents about interbank payment systems needed to prepare for subsequent attacks.