‘MoneyTaker’ Hacking Group Swipes $1m in Russian Bank Breach


Ted McKendall

Prolific hacking group ‘MoneyTaker’ has stolen approximately $1m from PIR Bank, after breaching the bank’s network through an outdated router.


Russian cyber-security firm Group-IB revealed the news in a press release earlier this week, saying that PIR Bank had lost approximately $920,000 in money stored in a corresponding account held at the Bank of Russia. After studying infected workstations and servers, the company said it found “irrefutable digital evidence” that MoneyTaker was behind the attack.


Analysts have traced the attack back to May and say that the entry point was a compromised router at one of the bank’s regional branches. The hackers used this router to infect the local network, and then used PowerShell scripts to automate certain parts of the attack without being detected. Having finally breached the main IT network, criminals were then able to access AWS CBR (Automated Work Station Client of the Russian Central Bank) to generate payment orders and send money in several batches to mule accounts that had been prepared in advance of the attack. As a result of this, criminals were able to reportedly transfer the money out to 17 different accounts at major Russian banks, where they then cashed out. Incredibly, this is the third time this one group has exploited an outdated router as its attack vector this year.

As an interesting aside, and further indicating the level of obfuscation to which criminals will go to cover their trails, MoneyTaker hackers cleared the OS logs on numerous computers in a bid to hinder the incident investigation, and also intriguingly left behind some ‘reverse shells’ – programs that connected from the bank’s network to the hackers’ C&C servers and which would wait for commands. In short, it appears as though the criminals were hopeful of using these reverse shells servers for future exploitation.


US Banks at Threat Too as Attacks Evolve

Worryingly, MoneyTaker’s growing notoriety appears to stretch far beyond the borders of Russia in an age where banks increasingly come under attack, regardless of whether they are in Baltimore, Berlin or Bangladesh. Experts have tied this particular group to thefts at US, UK, and Russian banks and financial institutions going back as far as 2016, with these attacks typically focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network, SWIFT and the AWS CBR system.


Indeed, the group — supposedly named after its custom malware — has reportedly netted an average of $500,000 in 16 attacks against US companies and $1.2m in three attacks against Russian banks since May 2016.  In one attack alone, MoneyTaker hackers supposedly withdrew around $2m.


Even if these financial figures seem gaudy, these attacks are indicative of the global cybercrime landscape right now. Yet what is arguably more fascinating is how these attacks are unfolding. Using an outdated router is a common entry point onto corporate networks given the relative ease at which you can compromise a device to hijack web traffic or computers. But it is what the attackers do next that is interesting.

MoneyTaker is targeting banks and traditional financial institutions like every other malware group, but the criminals are playing a bigger game by going after the card processing and interbank transfer systems (like CBR and SWIFT) that are used by thousands of institutions worldwide. This is presumably with the view that by compromising the infrastructure, you potentially scale up your attack by all those organizations reliant on such systems. For instance, the MoneyTaker group has also stolen documentation for OceanSystems’ FedLink card processing system, which is used by approximately 200 banks in Latin America and the US.

The danger is that once they are inside these systems, criminals could use the intelligence they gather to develop more sophisticated attack techniques and technologies to use against financial services institutions. This is a threat we have to watch closely.


Banks in general are fighting a seemingly unwinnable cyberwar, with insufficient staff and disparate, outdated security tools. While recent MoneyTaker targets have been interbank systems, there is no shortage of hacking groups focused on other vectors, like compromising customer endpoints to perform fraudulent banking transactions. Rather than fighting today’s threats with inadequate security tools, banks must adopt modern technologies that protect transactions.


Trusted Knight’s patented Protector Air provides banks with full transaction stack protection. Full transaction stack protection focuses on individual transactions, irrespective of the integrity of either the endpoint device or the end user. Through its cloud-based solution it can protect against customer-side malware, prevent web application exploitation, block DDoS attacks, and stop transactional fraud. To learn more, click one of the buttons below.


Request a Free Trial Download Whitepaper Now