MoneyTaker, a notorious group of hackers, managed to steal approximately $1 million from a bank by using an outdated router to breach the network. A cybersecurity firm was called in to investigate the incident before it was known who the thieves were, and stated that they found “irrefutable digital evidence implicating MoneyTaker in the theft.”
The victim of the hack was identified as PIR Bank, a Russian bank, according to a report by Bleeping Computer.
At least $920,000 that was stored in an associated account at the Bank of Russia was stolen during by the hackers.
MoneyTaker used an outdated router at a regional branch to infiltrate the bank in late May.
“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network,” said Group-IB. “This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.”
Once the network was breached, hackers infected the system with malware and then used PowerShell scripts to carry out the attack undetected.
They managed to access the bank’s AWS CBR account, allowing them to control financial transactions.
On July 3, MoneyTaker transferred fund from the PIR Bank account at the Bank of Russia to 17 separate accounts the hackers had created. Moments after the money was stolen, mules made ATM withdrawals at various points across Russia.
The funds were discovered to be missing by the bank on July 4. By then, the transactions could not be reversed. Russian cybersecurity firm Group-IB was called to investigate the incident. The organization is considered experts in the tactics used by MoneyTaker and previously released a report discussing the hacker groups existence and the nature of their operations.
While MoneyTaker attempted to clear logs to cover their tracks, they were not fully successful, leaving enough information behind for Group-IB to identify them as the hackers that were likely responsible.
MoneyTaker has been tied to thefts at US, Russian, and UK financial institutions going back as far as 2016, including another one against a Russian bank this year. During their three years in operation, estimates suggest they have stolen tens of millions of dollars.