Russian Hackers Steal $10M From Banks

A previously unknown ring of Russian-speaking hackers has stolen as much as $10 million from US and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.

The MoneyTaker group broke into 20 systems, which includes 15 US lenders, targeting ATMs with “mules” and Russia’s interbank money-transfer system, according to a report from Group-IB.

The hackers, who also breached a UK software and service provider, are now probing institutions in Latin America and may be trying to compromise the SWIFT international bank messaging service, according to the privately held security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. Group-IB last month signed an agreement with Interpol to share data on threat intelligence and the latest cyber-criminal activities.

“Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.
Russia, considered a hotbed of government-backed information attacks, increasingly finds itself a victim of cyber-crime. It was initially blamed for the Badrabbit ransomware virus that spread to more than 200 targets globally, even though some of the biggest disruptions affected Russian businesses.

Limited Resources
Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found. The average haul from US banks was about $500,000, and it stole over $3 million from three Russian lenders. “They understand that banks, especially community banks with limited resources, are the easiest marks,” Volkov said.

The cell remained undetected by using so-called fileless malware that only exists on a computer’s temporary memory and destroys itself when the system reboots, meaning it’s not permanently stored and therefore can more easily evade anti-virus programs, according to Group-IB.  At one bank, the hackers gained access to the network via the home computer of the lender’s system administrator.

Corkow Trojan
The attackers further covered their tracks with encryption certificates generated using brand names such as Bank of America Corp., Microsoft Corp. and the Federal Reserve, according to Group-IB, which previously uncovered Russian-speaking hacker cells behind the Corkow Trojan and Buhtrap.

SWIFT and Bank of America didn’t immediately respond to requests from Bloomberg. While hackers are transnational, many new types of attacks are discovered in Russia because it’s at the forefront of cyber security, a deputy head of the Russian central bank’s information security and protection department, Artem Sychev, said in an interview in November.

Group-IB said the US banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions. The attackers removed limits on the legitimate bank cards and used mules to withdraw cash from ATMs. The virus was so stealthy that, in at least one instance, a bank was successfully robbed twice.

While Group-IB didn’t uncover evidence of a successful attack on Swift by MoneyTaker, it found that the hackers were searching for documents related to the messaging system, which could indicate pending attacks. Last year, in one of the biggest heists in cyber-crime history, hackers used SWIFT to steal $81 million from Bangladesh.

“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”

Insurance Journal

You Might Also Read: 

Interpol/Group-IB Unmasking Pro-ISIS Hackers:

Bank Robbery: Cyber Criminals Steal $1Billion:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Digital Risks Are Changing And CSOs Must Adapt
Get Into Gear On GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

RSA Security

RSA Security

RSA provide cybersecurity products for Threat Detection and Response, Identity and Access Management, Governance, Risk and Compliance, and Fraud Prevention.

Code42

Code42

Code42 CrashPlan, is an enterprise SaaS solution that backs up all distributed end-user data on a single, secure platform.

Engage Black

Engage Black

Engage Black provides solutions for securing and protecting cryptographic keys, data at rest, and data in motion.

ThreatMark

ThreatMark

ThreatMark provides fraud detection solutions for digital banking and payments.

XLAB

XLAB

XLAB is an R&D company with a strong research background in the fields of distributed systems, cloud computing, security and dependability of systems.

NETAS

NETAS

Netas offers solutions in information and communication technologies including end-to-end value added solutions, system integration and technology services to providers and corporations.

Zen360Consult

Zen360Consult

Zen360Consult provides Advisory and Training services in the field of Cyber Resilience, which includes Cyber Security /ISMS and Business Continuity.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

Phosphorous Cybersecurity

Phosphorous Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

PatrOwl

PatrOwl

Automate your SecOps with PatrOwl, and start defending your assets efficiently.

DDLS

DDLS

DDLS is Australia's largest provider of corporate IT, process training and cybersecurity training courses and certification programs.

Valarian

Valarian

Valarian (formerly Worldr) is on a mission to build cutting-edge solutions that empower borderless collaboration in the new era of digital sovereignty.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

SolidityScan

SolidityScan

SolidityScan is an advanced smart contract scanning tool designed to uncover vulnerabilities and proactively address risks within your code.

Cypheria

Cypheria

Cypheria harness the expertise of elite military units and combine it with extensive digital combat experience to deliver unparalleled security solutions for organizations.