Russian hacking group steals more than $10 million from U.S. banks

A Moscow-based security firm, Group-IB has discovered a new group of Russian-speaking hackers who have stolen millions of dollars since May 2016 through international heists.

In a 36-page report published on Monday, Group-IB, which runs the largest computer forensics laboratory in eastern Europe, provided details of the newly-disclosed hacking group “MoneyTaker” named after a piece of custom malware it uses. According to the Group-IB, the hacking group has carried out more than 20 successful attacks on financial institutions and legal firms in the U.S., UK and Russia in the last two months alone.

The MoneyTaker group stole funds by targeting electric fund transfer networks like SWIFT (Society for Worldwide Interbank Financial Telecommunication). The MoneyTaker group also targeted law firms and financial software vendors. Group-IB has confirmed that 20 companies were successfully hacked, of which 16 attacks were on U.S. organizations, three on Russian banks, and one against an IT company in the UK.

In the U.S., the group primarily targeted smaller, community banks as victims, and stole money by infiltrating the credit card processor, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (U.S.). This act of theirs went unnoticed for a year and a half.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” said Dmitry Volkov, Group-IB co-founder and head of intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.”

The first attack happened in spring of 2016 when money was stolen from a bank by breaching its “STAR” network, a bank transfer messaging system that connects 5,000 ATMs in the U.S.

MoneyTaker members also targeted an interbank network known as AWS CBR, which interfaces with Russia’s central bank. The hackers also stole internal documents related to the SWIFT banking system, although there’s no evidence they have successfully carried out attacks over it.



“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin,” said the Group-IB.

“After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.”

In Russia, $1.2 million was stolen per attack. Last year, stolen SWIFT account credentials was used by online criminals to steal $81 million from a bank in Bangladesh. The amount of information MoneyTaker has collected on the Star, SWIFT, and AWS CBR networks has increased the possibility of the group looking to carry more attacks targeting the interbank payment systems, the group said.

“A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker,” company officials said in a statement.

“Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” they added.

“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”

Source: The Register