After three years of inactivity, the Russian hacker group, known as MoneyTaker, has reappeared to steal a large amount of money from several bank customers through the compromise of an automated workstation operated by a Bank of Russia customer. The attack was detailed by Group-IB experts in their latest report on security threats against financial institutions.
MoneyTaker was last detected in mid-2018, operating an attack that resulted in losses of more than 58 million rubles for the affected bank, whose license was revoked by authorities after the incident.
Although investigators have not revealed the name of the bank affected in the latest attack and the amount stolen, a source close to the Russian Central Bank guarantees that the losses could reach 500 million rubles, as well as citing that a smaller bank would also have been affected.
In any case, a spokesman for the Central Bank of Russia confirmed that the financial institution is aware of what happened and that some measures are already being taken to gather information about the attack.
In more detail about the theft, Group-IB says it all started in mid-2020, when a physical device installed in a network affiliated with the affected bank was compromised. Later, the threat operators would have accessed the banking network, a task that took about a month. Over the next six months, hackers swept the network using a variety of tools, including remote access software, credential collectors, and more.
The final phase of the attack began in January of this year, when hackers gained full access to the Russian banking system’s interbank transfer system, as well as access to digital keys for signing payments that pass through the Central Bank.
Dmitry Volkov, CEO of Group-IB, told Security Newspaper that there is a risk that such attacks would be repeated, as happened in the wave of attacks that took place between 2017 and 2018, causing losses of millions of rubles. The researcher believes that, on that occasion, everything was facilitated by the great lack of work in the area of cybersecurity by Russian banks, in addition to the lack of regulation imposed by regulators.