Russian Hackers Steal $10M From Banks

A previously unknown ring of Russian-speaking hackers has stolen as much as $10 million from US and Russian banks in the last 18 months, according to a Moscow-based cyber-security firm that runs the largest computer forensics laboratory in eastern Europe.

The MoneyTaker group broke into 20 systems, which includes 15 US lenders, targeting ATMs with “mules” and Russia’s interbank money-transfer system, according to a report from Group-IB.

The hackers, who also breached a UK software and service provider, are now probing institutions in Latin America and may be trying to compromise the SWIFT international bank messaging service, according to the privately held security firm, whose clients range from Russia’s biggest lender Sberbank PJSC to Raiffeisen Bank International AG. Group-IB last month signed an agreement with Interpol to share data on threat intelligence and the latest cyber-criminal activities.

“Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, the head of Group-IB’s cyber intelligence department, said by phone.
Russia, considered a hotbed of government-backed information attacks, increasingly finds itself a victim of cyber-crime. It was initially blamed for the Badrabbit ransomware virus that spread to more than 200 targets globally, even though some of the biggest disruptions affected Russian businesses.

Limited Resources
Since its first successful breach in May 2016, MoneyTaker has stolen from banks in New York, California, Utah and Moscow, primarily targeting smaller institutions with limited cyber defenses, Group-IB found. The average haul from US banks was about $500,000, and it stole over $3 million from three Russian lenders. “They understand that banks, especially community banks with limited resources, are the easiest marks,” Volkov said.

The cell remained undetected by using so-called fileless malware that only exists on a computer’s temporary memory and destroys itself when the system reboots, meaning it’s not permanently stored and therefore can more easily evade anti-virus programs, according to Group-IB.  At one bank, the hackers gained access to the network via the home computer of the lender’s system administrator.

Corkow Trojan
The attackers further covered their tracks with encryption certificates generated using brand names such as Bank of America Corp., Microsoft Corp. and the Federal Reserve, according to Group-IB, which previously uncovered Russian-speaking hacker cells behind the Corkow Trojan and Buhtrap.

SWIFT and Bank of America didn’t immediately respond to requests from Bloomberg. While hackers are transnational, many new types of attacks are discovered in Russia because it’s at the forefront of cyber security, a deputy head of the Russian central bank’s information security and protection department, Artem Sychev, said in an interview in November.

Group-IB said the US banks were targeted by gaining access to their card-processing system and then opening accounts at the compromised institutions. The attackers removed limits on the legitimate bank cards and used mules to withdraw cash from ATMs. The virus was so stealthy that, in at least one instance, a bank was successfully robbed twice.

While Group-IB didn’t uncover evidence of a successful attack on Swift by MoneyTaker, it found that the hackers were searching for documents related to the messaging system, which could indicate pending attacks. Last year, in one of the biggest heists in cyber-crime history, hackers used SWIFT to steal $81 million from Bangladesh.

“The more we dig, the more we’ll find,” Group-IB’s Volkov said. “This report doesn’t represent the full picture, and I can say with 100 percent certainty that there are more victims that haven’t been identified yet.”

Insurance Journal

You Might Also Read: 

Interpol/Group-IB Unmasking Pro-ISIS Hackers:

Bank Robbery: Cyber Criminals Steal $1Billion:

Bank Data Breaches Are Up And It's An Inside Job:

 

« Digital Risks Are Changing And CSOs Must Adapt
Get Into Gear On GDPR »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

APMG International (APM Group)

APMG International (APM Group)

APM Group is a global accreditation, certification and examination body specializing in certification schemes for individuals, organizations and software.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Hitachi ID Systems

Hitachi ID Systems

Hitachi ID Systems offers comprehensive identity management and access governance, privileged access management and password management solutions.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Cyber Akademie (CAk)

Cyber Akademie (CAk)

Cyber Akademie is a training and education center providing high-quality training and information events on information security and data protection.

Ovarro

Ovarro

Ovarro is the new name for Servelec Technologies and Primayer. Ovarro's technology is used throughout the world to monitor, control and manage critical and national infrastructure.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

Platin Bilişim

Platin Bilişim

Platin Bilisim is an IT Security company providing consultancy, solutions and operational support services.

Living Security

Living Security

Living Security specializes in metric driven and engaging security awareness solutions that reduce risk by increasing security culture and changing employee behaviour.

FortifyData

FortifyData

FortifyData is the next generation of cyber risk management–a comprehensive platform that continuously evaluates your third-party, internal and people risks.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

8com

8com

8com is an established Managed Security Service Provider (MSSP) with over 75 employees and customers in over 40 countries.

Descope

Descope

Descope is a service that helps every developer build secure, frictionless authentication and user journeys for any application.

BugProve

BugProve

BugProve offers a firmware analysis tool that speeds up security testing processes and supports compliance needs by automating repetitive tasks and detecting 0-day vulnerabilities.