Hacking Group Thieves $1 Million from Russian Bank through Compromised Router

July 28, 2018


The hacking group called MoneyMaker has managed a $1 million cyber robbery after getting access to a Russian bank via an obsolete router used in one of its area offices.

Weaknesses in the PIR Bank router were abused to first provide the hackers entry to the router, and after that to the Automated Work Station Client of the Russian Central Bank through network tunnels arranged in the router.

As soon as the entrance to the Automated Work Station Client of the Russian Central Bank was achieved, the hackers were able to commence fake bank transfers to 17 accounts operated at other Russian banks. Money was transmitted, and as soon as it cleared, cash was pulled out from ATM machines. The hacking group utilizes money mules to pull out the funds.

By the time PIR Bank noticed the fake transfers, the bank accounts had been emptied and the money might not be claimed.

The latest attack was probed by the cybersecurity and threat Intelligence company Group-IB, which notes that the hacking group is famous for extremely complicated attacks on financial organizations, many of which take months before funds are thieved. The group frequently uses fileless malware to gain after that in a system, sets up a completely new infrastructure for each attack, and goes to substantial lengths to obstruct forensic detectives.

Group-IB notices that most of the hacking group’s fruitful cyberheists have seen early access to the system gained through weak routers. Routers usually don’t have any safety software operating, firmware might not be upgraded regularly, and weaknesses can continue for some time before they are found and remediated. By attacking routers, cybercriminals can achieve a permanent position in local systems and after that can move laterally to other systems.

MoneyMaker has been attacking banks in the United Kingdom, Russia, and the United States since 2016 and is the main threat to financial organizations. Group-IB proposes the best way to avoid attacks is to make certain all routers in use are operating the latest firmware type, to make sure routers are frequently scanned for alignment changes, and to make sure testing takes place to find brute force weaknesses.

Router weaknesses are also being abused to create IoT botnets that are used to carry out huge DDoS attacks, with the Trojan VPNFilter recognized to have infected at least half a million weak routers. The modern malware has already been used to initiate destroying attacks on important infrastructure in Ukraine, including the latest attack on a liquid chlorine treating plant that provides chlorine for processing Ukraine’s water supply.