Earlier this month, cyber bank robbers stole $1 million from Russia’s PIR Bank. The post-mortem forensics all point to MoneyMaker, the notorious hacking group, which has over the last two years to little fanfare heisted more than $10 million from global banks and whose identity remains unknown.
These hackers are mainly focused on card processing and interbank transfer systems. In this instance, as in the previous financial institution burglaries, Group-IB, a Moscow-based security provider, traced MoneyMaker’s steps. Here’s what they found (see IB’s blog for full details):
Timeline.
- The attack started in late May, when MoneyMaker infected a bank’s router and subsequently gained access to the network and a computer it could compromise.
- Funds were stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out.
- The bank noticed money being withdrawn while in progress, took measures to stop it but most of the funds, reportedly $920,000, were gone.
Forensics.
- IB found specific tools and techniques consistent with what MoneyMaker had previously used to attack banks, along with the IP addresses of their command and control servers.
- The entry point was an infected router used by one of the bank’s regional branches. Through the router the hackers gained direct access to the bank’s local network, a characteristic tactic of MoneyTaker, IB said, used three times to date when it hit banks with branch networks.
- Most of the stolen money was transferred to cards of the 17 largest banks on July 4 and immediately siphoned off by money mules in ATM withdrawals.
- The burglars covered their tracks in the system by clearing OS logs on many computers to muck up incident response time and immediate investigation.
“This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed,” wrote Valeriy Baulin, who heads Group-IB’s digital forensics lab.
Defense.
- Since the entry point in most successful attacks conducted by MoneyMaker was routers, installing current firmware is mandatory. Also, testing for brute-force vulnerabilities and detecting changes in router configuration in a timely manner is critical, IB said.
Epilogue.
- As of last December, by IB’s figuring MoneyTaker had conducted 16 attacks in the U.S., five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the U.S. amounted to $500,000. In Russia, the average amount of money withdrawn is $1.2 million per incident. Since 2017, the geography of MoneyMaker's attacks has shrunk to Russia and the U.S. In the U.S., the covert hackers used eponymous, self-destructing “fileless malware” to hit ATMs in mostly community banks by relying on publicly available software tools.
P.S.
- In addition to money, the criminals steal documents about interbank payment systems, ostensibly to prepare for future attacks.