Group-IB has released a report detailing the operations of a Russian-speaking targeted attack group dubbed as MoneyTaker.
In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms around the world. Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed. The first attack that Group-IB attributes to this group was conducted in the US in May 2016 while the most recent attack took place in November 2017 in Russia.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence. “In addition, incidents have occurred in different regions worldwide. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations”.
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the firstname.lastname@example.org format.
“This year we have witnessed an array of high profile cyber-attacks in the financial sector which has put a renewed emphasis on data protection and security. While cybercriminals continue to grow in sophistication, organisations are yet to strengthen their cybersecurity immune system. In addition, the increased adoption of new technologies in the region presents new security and data risks. At Group-IB, we are committed to protecting our clients from vulnerabilities by providing them with comprehensive threat intelligence and robust cybersecurity solutions,” said Tarek Kuzbari, managing director for the Middle East, Turkey, Africa and South Asia at Group-IB.
By analysing the attack infrastructure, Group-IB identified that the group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB.
The group has primarily been targeting card processing systems where the attackers checked if they could connect to the card processing system after taking control over the bank’s network. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one.