Hackers steal $1 million from Russian bank

Russian PIR Bank lost almost $1 million due to a hacker attack at the beginning of July. The money was stolen by so-called MoneyTaker hacking group, which used an outdated router at one of the bank's regional branches to access its local network. This has been at least fourth similar successful attack on a Russian bank since the beginning of the year.

A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from Russia's PIR Bank, reports SecurityWeek citing Group-IB cybercrime researchers. At the beginning of July, the criminals got access to the funds via the Russian Central Bank's Automated Workstation Client (AWC), transferred the money to 17 accounts in major Russian banks and then cashed them out. Although the bank's staff managed to delay some of the withdrawals, it appears that most of what was stolen has been lost. Group-IB estimates that the hackers took around $920,000.

The security researchers claim that all evidence points to MoneyTaker hacker group orchestrating the theft, as the criminals used tools and techniques previously associated with MoneyTaker along with the IP addresses of the group's command and control servers. Over the past two years, MoneyTaker has launched over 20 successful attacks on financial institutions and legal firms in the US, UK and Russia, mainly focusing on card processing systems. In 2016, the hackers withdrew about $2 million via their own self-titled programme. The incident remains one of the largest attacks of this kind, says Group-IB's Head of Digital Forensics Lab Valeriy Baulin, adding that at least three similar successful attacks on Russian banks with money withdrawal have been registered since early 2018.

The latest attack on PIR Bank started in May 2018 when the hackers used a compromised router of one of the bank's regional branches as an entry point. ''This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,'' the Group-IB researchers say. After the hackers breached the bank's main network and accessed the Central Bank's AWC, they sent money to accounts in 17 other banks prepared in advance. Funds were immediately cashed out by money mules via ATMs. The bank employees tried to stop the suspicious financial transfers, but the hackers had already managed to cash out most of the stolen money.

According to Baulin, attacks on AWC, which is an interbank system similar to SWIFT, are not easy to implement and, thus, are conducted relatively rare. Many hackers just cannot ''work on computers with AWC'' successfully.

By Anna Litvina