Content, Breach, Malware

Report: MoneyTaker Hackers Stole $10 Million from U.S., Russia Banks Using Stealthy Malware

Stealthy Russia-tied hackers, dubbed MoneyTaker, quietly stole up to $10 million from global banks in the last 18 months, including $8 million from the U.S. while maneuvering without detection, Group-IB, a Moscow-based security provider uncovered.

In the U.S., the covert hackers used eponymous, self-destructing “fileless malware” to hit ATMs in mostly community banks by relying on publicly available software tools, the report said. Group IB found that the cyber crooks have sneaked into 16 U.S. banks and two in Russia using bogus credit card transactions to infiltrate payment processing systems. The cyber attackers, whose identity is unknown, also reportedly compromised a U.K.-based software and services provider. In a blog post, Group-IB called the mysterious hacking cell the "invisible being."

So far this year, the nefarious unknowns have infiltrated eight U.S. banks, a law firm and a Russian bank, according to Group-IB’s research. Over the course of its rampage, MoneyTakers walked away with $500,000 on average from its victims. Part of the gang’s tactics involved pilfered documents from the global financial transfer system Swift, the report said.

Evidence of MoneyTaker’s crime spree first appeared in May, 2016, when the group invaded a banking portal operated by First Data. The robbers subsequently moved onto targets in at least seven other U.S. states, ranging across the country from California to North Carolina. Expect additional attacks to continue in other geographies, Group-IB said.

At this point, it’s unclear if the operatives are Russian-based or Russian-speaking, IB-Group said. What is known, however, is MoneyTaker transferred stolen documents to Russian services Mail.ru and Yandex. Heisting bank documents was only part of the hacker’s strategy -- it would remain inside a network afterwards to lurk around, the report said.

“Incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice," said Dmitry Volkov, Group-IB co-founder and head of intelligence.

According to Group-IB, here’s how the crime outfit has operating thus far:

"After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin.

"After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one."

The MoneyTaker operation drew a warning from security specialist AttackIQ. “We have entered a new phase of cyber requiring organizations to validate their security controls on a continuous basis,” said Stephan Chenette, AttackIQ CEO. “Because ultimately, the cost of testing is far less expensive than the costs of recovery from a breach.”

Chenette said that even though many organizations have security controls that prevent attackers from breaching systems such as Swift and ATM networks, “in many cases, misconfigurations in these security controls and logging mechanisms create protection failures that allow adversaries to gain access to these critical systems without the owner finding out in a timely manner.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.