Hacking Group Thieves $1 Million from Russian Bank through Compromised Router

July 28, 2018


The hacking group known as MoneyMaker has succeeded in a $1 million cyberheist after gaining access to a Russian bank via an obsolete router used in one of its local branches.

Weaknesses in the PIR Bank router were abused to first give the hackers access to the router, and after that to the Automated Work Station Customer of the Russian Central Bank through network channels designed in the router.

As soon as access to the Automated Work Station Customer of the Russian Central Bank was gotten, the hackers were capable to start fake bank transfers to 17 accounts maintained at other Russian banks. Money was transmitted, and as soon as it cleared, cash was taken out from ATM machines. The hacking group uses money mules to take out the funds.

By the time PIR Bank noticed the fake transfers, the bank accounts had been emptied and the money might not be recovered.

The latest attack was probed by the cybersecurity and threat Intelligence company Group-IB, which notices that the hacking group is well-known for extremely complex attacks on financial organizations, many of which take months before funds are robbed. The group frequently uses fileless malware to gain a footing in a network, sets up a completely new infrastructure for each attack, and goes to substantial lengths to obstruct forensic detectives.

Group-IB notices that most of the hacking group’s fruitful cyberheists have seen preliminary access to the network gained via weak routers. Routers usually don’t have any safety software running, firmware might not be updated frequently, and weaknesses can continue for some time before they are found and remediated. By attacking routers, cybercriminals can gain a continued position in local networks and can then go laterally to other systems.

MoneyMaker has been attacking banks in the United Kingdom, Russia, and the United States since 2016 and is the main danger to fiscal organizations. Group-IB proposes the best way to avoid attacks is to make certain all routers in use are operating the latest firmware type, to make sure routers are frequently scanned for configuration modifications, and to make sure testing takes place to recognize brute force weaknesses.

Router weaknesses are also being abused to create IoT botnets that are used to carry out huge DDoS attacks, with the Trojan VPNFilter recognized to have infected at least half a million weak routers. The modern malware has already been used to start shocking attacks on important infrastructure in Ukraine, including the latest attack on a liquid chlorine treating plant that delivers chlorine for treating Ukraine’s water supply.