Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Dark Reading
Dark Reading
Products and Releases

new MoneyTaker case resulting in theft of $1M from Russian bank

Moscow, 19.07.2018 – Group-IB, one of the global leaders in preventing high-tech crimes and providing high-fidelity threat intelligence and anti-fraud solutions, is conducting incident response on an attack on PIR Bank (Russia), which resulted in the theft of 1 million US dollars, conducted by MoneyTaker hacking group. Funds were stolen on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders. 

According to Kommersant newspaper, PIR Bank lost around $920,000 (which is a conservative estimate) from their correspondent account at the Bank of Russia. PIR Bank officially confirmed the attack initially, adding at that time they were unable to determine the exact amount of losses. PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost. In order to respond to the incident, PIR Bank staff engaged Group-IB.

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank's operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.

After studying infected workstations and servers at the financial institution, Group-IB forensic specialists collected irrefutable digital evidence implicating MoneyTaker in the theft. In particular, the experts discovered specific tools and techniques that had been used earlier by MoneyTaker to attack banks, as well as the IP addresses of their C&C servers. Recommendations for prevention of similar attacks has been circulated to financial institutions that are Group-IB’s clients and partners, including the Central Bank of Russia. MoneyTaker is a criminal group specializing in targeted attacks on financial institutions, which was investigated by Group-IB experts in December 2017 in their analytic report called MoneyTaker: 1.5 Years of Silent Operations. These hackers are mainly focused on card processing and interbank transfer systems (AWS CBR and SWIFT).



What happened at PIR Bank?

From Incident Response, Group-IB confirmed that the attack on PIR Bank started in late May 2018. The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. This technique was analyzed in detail by Group-IB experts in their December report. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders and send money in several tranches to mule accounts prepared in advance. 

On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system – they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation. 

Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins. 

This is not the first successful attack on a Russian bank with money withdrawal since early 2018,” saysValeriy Baulin, Head of Digital Forensics Lab Group-IB, We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”


Who are MoneyTaker and why is it so difficult to catch them?


The first attack by MoneyTaker was recorded in spring 2016, when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers did not conduct attacks for almost 4 months and only attacked banks in Russia in September 2016. In these instances, their target was AWS CBR, the Russian interbank transfer system. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks against organisations in the U.S., UK and Russia. Since 2017, the geography of their attacks has shrunk to Russia and the U.S. In 2018, Group-IB tracked two MoneyTaker attacks in Russia.  

MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks. 

It is evident that MoneyTaker is one of the top threat to the banks all over the world. In connection with the incident in PIR Bank, Group-IB gave recommendations to security departments of financial institutions on how to minimize the danger presented by MoneyTaker. Since the entry point in most successful attacks conducted by this group was routers, it is first necessary to check if you have the up-to-date firmware, test systems for brute-force vulnerabilities and detect changes in router configuration in a timely manner.  


According to the Group-IB report published in December, at that time, MoneyTaker had conducted 16 attacks in the U.S., five attacks on Russian banks and one attack on an banking software company in the UK. The average damage caused by one attack in the U.S. amounted to $500,000. In Russia, the average amount of money withdrawn is 1.2 million USD per incident. In addition to money, the criminals steal documents about interbank payment systems needed to prepare for subsequent attacks. Incident response and investigations continue. 


About Group-IB

Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud. The company is recognized by Gartner as a threat intelligence vendor with strong cyber security focus and the ability to provide leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE). The Company is a permanent member of the World Economic Forum. Group-IB’s experience has been fused into an eco-system of highly sophisticated software and hardware solutions to monitor, identify and prevent cyber threats. Group-IB runs the largest computer forensics laboratory in Eastern Europe, as well as an official computer emergency response team CERT-GIB. In 2017, the company was recognized by IDC as a leading player on the Russian threat Intelligence services market.





Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.