STICK 'EM UP! —

$1 million heist on Russian bank started with hack of branch router

MoneyTaker strikes again.

$1 million heist on Russian bank started with hack of branch router

A prolific hacking group has struck again, this time stealing close to $1 million from Russia’s PIR Bank. The July 3 heist came about five weeks after the sophisticated hackers first gained access to the bank’s network by compromising a router used by a regional branch.

The theft—which according to kommersant.ru is conservatively estimated at about $910,000—is the latest achievement of a group researchers at security firm Group-IB call the MoneyTaker group. In a report published last November that first detailed the group, researchers said its members had conducted 20 successful attacks on financial institutions and legal firms in the US, UK, and Russia. In a follow-up report, Group-IB said MoneyTaker netted about $14 million in the hacks, 16 of which were carried out on US targets, five on Russian banks, and one on a banking-software company in the UK.

While MoneyTaker is skilled at concealing its activities, Group-IB was able to connect the heists by tracing a common set of tactics, techniques, and procedures. After initially gaining access to a target’s network, members often spend months doing reconnaissance in an effort to elevate system privileges to those of a domain administrator. Members also try to remain active inside hacked networks long after the heists are carried out. The attackers also use a variety of freely available tools popular among hackers and security professionals alike, including the Metasploit exploit framework, Microsoft’s PowerShell management framework, and various Visual Basic scripts.

The attackers also use several custom-made pieces of malware, including their namesake, the MoneyTaker v5.0. Much of the malware is “fileless,” meaning it exists only in computer memory and isn’t stored on hard drives. Their distributed command-and-control infrastructure includes a server that delivers payloads only to IP addresses whitelisted by the group. An earlier hack of a Russian bank’s internal network was initiated by gaining access to the home computer of one of its system admins.

This month’s attack on the PIR Bank fit the same pattern. According to an emailed release from Group-IB:

From Incident Response, Group-IB confirmed that the attack on PIR Bank started in late May 2018. The entry point was a compromised router used by one of the bank’s regional branches. The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.

To establish persistence in the banks’ systems and automate some stages of their attack, the MoneyTaker group traditionally use PowerShell scripts. This technique was analyzed in detail by Group-IB experts in their December report. When the criminals hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank), generate payment orders, and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys but failed to stop the financial transfers in time. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system–they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.

Moreover, the criminals left some so-called ‘reverse shells,’ programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response, this was detected by Group-IB employees and removed by the bank’s sysadmins.

Group-IB has provided additional details and recommended preventative steps to customers.

Channel Ars Technica