MoneyTaker hackers breach Russian bank via outdated router to steal nearly $1 million

• The prolific hacking group has been active since at least 2016.
• The group previously targeted at least 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

Notorious hacker group MoneyTaker managed to infiltrate a Russian bank and steal nearly $1 million by exploiting an outdated branch router. The heist at Russia's PIR Bank occurred on July 3, about five weeks after the hacking outfit gained initial access to the bank's network by compromising a router used at a regional branch.

According to local news reports, the hackers managed to steal an estimated $910,000 worth of rubles.

Russian cybersecurity firm Group-IB was hired to investigate the incident and said they have collected "irrefutable digital evidence implicating MoneyTaker in the theft." The firm first detailed the group's existence and operations in a report published last December.

MoneyTaker has been targeting US, UK and Russian banks, financial institutions and legal firms since at least 2016. The hacker group primarily exploits card processing systems such as the AWS CBR (Russian Interbank System) and SWIFT to hijack financial transactions.

How the hack happened

In the latest heist, the hackers infiltrated PIR Bank's network in late May via an outdated router at one of the bank's region branches that "had tunnels that allowed the attackers to gain direct access to the bank's local network."

"This technique is a characteristic of MoneyTaker," Group-IB researchers said. "This scheme has already been used by this group at least three times while attacking banks with regional branch networks."

The group then infected the bank's local network with malware and used PowerShell scripts to gain persistence in the bank's systems and automate stages of their attack whilst evading detection.

"When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders, and send money in several tranches to mule accounts prepared in advance," researchers said. The group used this compromised system to transfer funds from PIR Bank to cards of the 17 largest banks. The stolen funds were immediately withdrawn by money mules from ATMs across the country.

On July 4, PIR Bank employees discovered the unauthorized transactions and attempted to block the AWS CBR digital signature keys and stop the transfers. However, it was too late.

"Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system–they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation," researchers said. "Moreover, the criminals left some 'reverse shells', programs that connected the hackers' servers from the bank's network and waited for new commands to conduct new attacks and again gain access to the network.

"During incident response, this was detected by Group-IB employees and removed by the bank's sysadmins."

Since 2016, MoneyTaker has stolen tens of millions from banks with average losses of $500,000 per incident in the US and $1.2 million in Russia. The group has carried out at least 16 cyber attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.