MoneyTakers, the infamous hacking group gained access to the bank funds through a single, outdated router.
News has emerged that a professional cyber hacker group managed to steal almost $US 1,000,000 from a Russian bank earlier this month after the thieves gained access to the financial institution’s internal networks by using a router that had not been updated in recent times.
After managing to bypass the out-of-date security protocols, the hackers were able to monitor network traffic in the PIR Bank for a number of weeks, before clandestinely authorizing financial transactions that made it look like they had been made by bank staff.
According to Group-IB, a Moscow-based security firm hired by PIR bank to investigate and deal with the incident, the infamous MoneyTakers hacking group has been blamed for the theft.
Group-IB and MoneyTakers are well acquainted adversaries. The security firm were responsible for discovering the group’s existence last year when they published a report detailing their previous operations.
Several computers within PIR were eventually infected and Group-IB used forensic methods to determine that the tools and techniques used matched those of previous raids made by MoneyTakers and that a single piece of hardware – a router – had been their access point.
Fast, but not fast enough…
Staff at PIR were quick to act when MoneyTakers actually started transferring money out of the bank, managing to stop a large swathe of transactions from going through, but the hackers were fast as well, and managed to steal just short of a million dollars before the bank was able to act.
Hey! Don’t I know you from somewhere?
“On the evening of July 4, when bank employees found unauthorized transactions with large sums, they asked the regulator to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time,” Group-IB reported. “Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.”
PIR Bank was infiltrated in May of this year, but money was not stolen until the 3rd of July. MoneyTakers have previously successfully hacked 15 US banks, a US services provider, a UK banking software company, 5 Russian banks, and one Russian law firm.