Bank Hackers Exploit Outdated Router to Steal $1 MillionPIR Bank Robbed by Russia's MoneyTaker Gang, Investigators Say
Hackers stole at least $920,000 from Russia's PIR Bank after they successfully compromised an outdated, unsupported Cisco router at a bank branch office and used it to tunnel into the bank's local network.
"It was a Cisco 800 Series Router, with iOS 12.4, for which support ended in 2016," Sergey Nikitin, a digital forensic expert with Moscow-based cybersecurity and incident response firm Group-IB, tells Information Security Media Group.
The heist came to light after Russia's daily political and financial newspaper Kommersant on July 6 reported that the country's PIR Bank lost at least 58 million rubles ($920,000), and possibly much more, after hackers transferred money out of the bank's account at Bank of Russia, which is the country's central bank.
PIR Bank was reportedly able to recover some funds, but the majority of the transferred money appears to have been lost.
More details about the attack have now been released by Group-IB, which was hired by PIR Bank to investigate the heist that the bank discovered on the evening of July 4.
Based on attackers' techniques, including their extensive use of PowerShell scripts for gaining persistence on networks and automating parts of their attack, Group-IB has attributed the heist to a group it calls MoneyTaker.
MoneyTaker is one of the country's three most active cybercrime gangs - the others are Cobalt and Silence - that regularly target the financial services sector, Group-IB says (see Cobalt Cybercrime Gang Reboots After Alleged Leader's Bust).
The firm adds that this is at least the fourth time this year that MoneyTaker has successfully gained access to a bank's network by exploiting one of its regional branch's routers.
In December 2017, Group-IB published a report on MoneyTaker in which it said the gang, which primarily targets small community banks, had since mid-2016 stolen nearly $10 million from at least 20 financial services firm based in Russia, the United Kingdom and the United States. Sixteen of those victims were U.S.-based, the company reported, noting that the average haul from each attack was $500,000 (see Report: Russian Hackers Target Banks in US, Britain, Russia).
A 2016 incident, when MoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind, says Valeriy Baulin, who heads Group-IB's digital forensics lab. The firm reports that MoneyTaker often uses fileless malware, the open source Metasploit penetration testing software as well as "one-time infrastructure" to help cover its attacks.
The attack against PIR Bank is not the first such heist seen so far this year against a Russian bank. "We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed," Baulin says.
How Hackers Infiltrated PIR Bank
Group-IB says attackers began their attack in late May by exploiting the outdated router.
Nikitin at Group-IB says exploiting the router would not have been difficult, technically speaking.
"Nothing amazing [required], like a zero-day exploit. It is impossible to determine which CVE was used; of course there was no syslog or anything like that - it could simply just have been brute-forced," he says.
Brute-forcing a router would mean peppering it with login requests by running a dictionary attack that attempted to use many different usernames and passwords until one combination allowed attackers to successfully gain remote access.
CVE refers to the Common Vulnerabilities and Exposure, maintained by MITRE, which is a list of publicly known cybersecurity vulnerabilities.
Syslog is a way for devices such as routers to send event messages to a logging server, which can then be used to help spot attacks. It can also be used after the fact by incident responders to better understand how an organization was breached and what may have been stolen.
From Router to Network
After exploiting the router, the attackers used it to tunnel into the bank's main network. From there, they managed to gain access to the bank's Automated Work Station Client of the Russian Central Bank, or AWS CBR, which is an interbank messaging system designed for fund transfers that's similar to the SWIFT messaging system.
After accessing AWS CBR, the attackers were able to "generate payment orders and send money in several tranches to mule accounts prepared in advance," Group-IB says.
Money mules refer to individuals who - knowingly or unknowingly - help criminals cash out their crimes. Such activities can take many forms, from "work at home" opportunities that involve money mules receiving stolen funds before transferring them to attacker-control accounts to going to ATMs infected with "jackpotting" malware and instructing them to dispense all of their cash (see Don't Be a Money Mule for the Holidays).
In this case, the mules used cards issued by the banks to drain funds from accounts to which the stolen funds had been transferred, Group-IB says. Once the accounts were cashed out, short of police identifying and arresting the perpetrators and attempting to recover the funds, the cash would be gone
Bank employees spotted the theft on the evening of July 4 after they "found unauthorized transactions with large sums." Bank employees then asked the central bank "to block the AWS CBR digital signature keys, but failed to stop the financial transfers in time," Group-IB says.
"Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs," Group-IB says.
To disguise the theft and try to make life more difficult for digital forensic investigators, Group-IB says the attackers - not for the first time - tried to cover their tracks by clearing the logs from numerous bank systems. The criminals also left some "reverse shells" - code designed to automatically communicate back to attacker-controlled machines - that attackers could later use to regain access to the bank's network and launch follow-on attacks.
Group-IB says it identified the reverse shells and that PIR Bank's system administrators have scrubbed them from the bank's network.