POST Online Media Lite Edition


Group-IB uncovered hackers attacking banks in U.S., Russia and the UK

Staff Writer |
Group-IB, a high-fidelity threat intelligence and anti-fraud solutions vendor has released a report detailing the operations of a Russian-speaking targeted attack group dubbed by Group-IB as MoneyTaker.

Article continues below

In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia.

The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.

Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors.

In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on U.S. organizations, 3 attacks on Russian banks and 1 in the UK.

By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed.

The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data’s “STAR” network operator portal. Since that time, the group attacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.

In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on IT-company UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group‑IB.

In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.

Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017.

Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction.

Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and free email services in the format.

What to read next

Cyber firms warn of malware that could cause power outages
Hackers attack Sacramento public transit system, demand ransom
Bahrain says 'terrorists' hacked the foreign minister's account