Russia's PIR Bank lost $1 million after hackers infiltrated the bank's systems via a compromised router installed at a regional branch.
Funds were stolen on 3 July through the Russian Central Bank’s Automated Workstation Client - an interbank fund transfer system similar to Swift - transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by forensic investigator's Group-IB, who were contracted by the bank after the funds were looted
Group-IB has laid the blame at the door of the infamous MoneyTaker hacking group, which it bills as "one of the top threats to banks all over the world". The shady collective first appeared in spring 2016, and Group-IB says MoneyTaker's fingerprints are all over a spate of attacks that have since afflicted banks in the UK, US and Russia.
In the PIR Bank attack, Group-IB discovered specific tools and techniques that had been used earlier by MoneyTaker to attack banks, as well as the IP addresses of their C&C servers.
In this instance, MoneyTaker gained access to PIR Bank servers via an outdated router used at a regional branch. Once inside the network, the hackers penetrated the interface to the funds transfer system, generating payment orders and sending money in several tranches to mule accounts prepared in advance.
"This is not the first successful attack on a Russian bank with money withdrawal since early 2018," says Valeriy Baulin, head of Group-IB's foresnics lab. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind."
Update An earlier version of this report included a statement by Group-IB that the first victim of the MoneyTaker hacking collective was a US bank compromised by an attack on First Data's Star network. Despite multiple reports to the contrary across the Internet, and the fact that Group-IB continues to peddle the claim, First Data maintains that Russian security company is misinformed.
In a statement, First Data says: “First Data’s Star Network was not compromised in an incident referenced by a recent report from Group-IB regarding a third party that accessed bank computer systems.
In early 2016, Star became aware that a third party had been targeting small financial institutions to gain access to the institutions’ computer systems. By accessing the bank’s computer systems, the unauthorized party was able to obtain and use the institution’s login credentials for the Star Station, where financial institutions administer their Star-issued debit cards. In addition to reporting all incidents to regulators, and providing assistance to the banks who were victimized, Star further assisted financial institutions by implementing additional mandatory authentication measures and controls.”