The group, dubbed MoneyTaker, has successfully managed to attack over 20 financial institutions, banks, software vendors and law firms worldwide in order to conduct fraudulent transactions, use money mules to withdraw cash stolen from companies, and steal valuable corporate and sensitive information.
A previously undetected group of Russian-language hackers silently stole almost $10 million from at least 18 mostly USA and Russian banks in recent years by targeting interbank transfer systems, a Moscow-based security firm said on Monday.
In 2017, Group-IB claims that MoneyTaker was behind attacks on eight United States banks, one law firm and one Russian bank.
The first known attack was in 2016, when they compromised First Data's STAR network in the US, Russia's AW CRB network, stole OceanSystems' Fed Link transfer system documents and spied on Russian bank networks. Beside banks, financial software firms and one law firm were targeted.
"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise", says Dmitry Volkov, co-founder Group-IB and Head of Intelligence.
He continued: "In addition, incidents occur in different regions worldwide and at least one of the U.S. banks targeted had documents successfully exfiltrated from their networks, twice".
Details of these attacks were first made public in a report published yesterday by Russian cyber-security firm Group-IB.
Further, the hackers also took the time to delete their entry points, as Group-IB was not able to find the initial infection vector, and used a unique command-and-control server infrastructure that did not deploy any malware unless the download request came from a targeted bank's IP address range. The geography, however, has narrowed to only the United States and Russian Federation.
"Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported", claimed Group-IB in a blog posting.
The firm said it was continuing to investigate a number of incidents where hackers studied how to make money transfers through the SWIFT banking system, while stopping short of saying whether any such attacks had been carried out successfully.
The criminals use a legitimate penetration testing tool called the Metasploit Framework to coordinate the different phases of the attack, from initial network reconnaisance to the exploitation of vulnerabilities and the acquisition of administrator-level system privileges.
MoneyTaker's hacking kit included privilege escalation tools compiled from codes presented at the Russian cybersecurity conference ZeroNights back in 2016.
The group has used privilege escalation tools based on code publicly presented at a cybersecurity conference in Russian Federation previous year and in some cases deployed the infamous Citadel and Kronos banking Trojans. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones before erasing traces of the changes. While it would be hard to completely prevent hacks, it's clear that attackers are having a relatively easy time making off with funds and sensitive data.
Now, experts believe Latin America banks and banks utilizing the SWIFT system are in MoneyTaker's crosshairs.
Group-IB investigators said they forwarded all the data they gather on this group to Europol and Interpol, as they suspect this will not be the last time we hear about MoneyTaker's operations.