Russian Hackers Steal $10M From Banks

A previously unknown ring of Russian-speaking hackers has stolen as much as $10 million from US and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.

The MoneyTaker group broke into 20 systems, which includes 15 US lenders, targeting ATMs with “mules” and Russia’s interbank money-transfer system, according to a report from Group-IB.

The hackers, who also breached a UK software and service provider, are now probing institutions in Latin America and may be trying to compromise the SWIFT international bank messaging service, according to the privately held security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. Group-IB last month signed an agreement with Interpol to share data on threat intelligence and the latest cyber-criminal activities.

“Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.
Russia, considered a hotbed of government-backed information attacks, increasingly finds itself a victim of cyber-crime. It was initially blamed for the Badrabbit ransomware virus that spread to more than 200 targets globally, even though some of the biggest disruptions affected Russian businesses.

Limited Resources
Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found. The average haul from US banks was about $500,000, and it stole over $3 million from three Russian lenders. “They understand that banks, especially community banks with limited resources, are the easiest marks,” Volkov said.

The cell remained undetected by using so-called fileless malware that only exists on a computer’s temporary memory and destroys itself when the system reboots, meaning it’s not permanently stored and therefore can more easily evade anti-virus programs, according to Group-IB.  At one bank, the hackers gained access to the network via the home computer of the lender’s system administrator.

Corkow Trojan
The attackers further covered their tracks with encryption certificates generated using brand names such as Bank of America Corp., Microsoft Corp. and the Federal Reserve, according to Group-IB, which previously uncovered Russian-speaking hacker cells behind the Corkow Trojan and Buhtrap.

SWIFT and Bank of America didn’t immediately respond to requests from Bloomberg. While hackers are transnational, many new types of attacks are discovered in Russia because it’s at the forefront of cyber security, a deputy head of the Russian central bank’s information security and protection department, Artem Sychev, said in an interview in November.

Group-IB said the US banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions. The attackers removed limits on the legitimate bank cards and used mules to withdraw cash from ATMs. The virus was so stealthy that, in at least one instance, a bank was successfully robbed twice.

While Group-IB didn’t uncover evidence of a successful attack on Swift by MoneyTaker, it found that the hackers were searching for documents related to the messaging system, which could indicate pending attacks. Last year, in one of the biggest heists in cyber-crime history, hackers used SWIFT to steal $81 million from Bangladesh.

“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”

Insurance Journal

You Might Also Read: 

Interpol/Group-IB Unmasking Pro-ISIS Hackers:

Bank Robbery: Cyber Criminals Steal $1Billion:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Digital Risks Are Changing And CSOs Must Adapt
Get Into Gear On GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Veeam

Veeam

Veeam is the leader in intelligent data management for the Hyper-Available Enterprise.

FDM Group

FDM Group

FDM Group is an international Professional services company with a focus on IT. Services offered include Software Testing, and Information Security with a focus on operational security and compliance.

Operational Center for Information Systems Security (COSSI)

Operational Center for Information Systems Security (COSSI)

COSSI is responsible for the detection and mitigation of cyber attacks directed at French Government information systems.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

Irdeto

Irdeto

Irdeto is the world leader in digital platform security, protecting platforms and applications for media & entertainment, gaming, connected transport and IoT connected industries.

Urbane Security

Urbane Security

Urbane Security is a premier information security consultancy empowering the Fortune 500, small and medium enterprise, and high-tech startups.

Cado Security

Cado Security

Cado Security is pushing digital forensics, and cyber incident response to the next level with an incident response software platform and specialist consulting services.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Input Output (IOHK)

Input Output (IOHK)

IOHK is one of the world's pre-eminent blockchain infrastructure research and engineering companies.

Appurity

Appurity

Appurity specialises in mobile and application security, delivering comprehensive solutions across all verticals.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

Pulsar Security

Pulsar Security

Pulsar Security is a team of highly skilled, offensive cybersecurity professionals with the industry's most esteemed credentials and advanced real-world experience.

SecureFlag

SecureFlag

SecureFlag is dedicated to enhancing secure coding across all technical profiles within the Software Development Lifecycle.

CyberForceHQ

CyberForceHQ

CyberForce helps cyber security professionals take real-world tests, get ranked and get paid better. It's that simple.