A hacking group that has been targeting banks and law firms globally has managed to fly under the radar for two years. Until now.
Cyber security intelligence firm Group-IB has released a report detailing the operations of the Russian-speaking targeted-attack group, dubbed “MoneyTaker.”
MoneyTaker has evaded detection by constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, Group-IB said.
The first attack that Group-IB attributes to this group was conducted in the US in May 2016 while the most recent attack took place in November 2017 in Russia.
While cybercriminals continue to grow in sophistication, organisations are yet to strengthen their cybersecurity immune system, warned Tarek Kuzbari, managing director for the Middle East, Turkey, Africa and South Asia at Group-IB. “The increased adoption of new technologies in the region presents new security and data risks,” Kuzbari added.
The group has primarily been targeting card processing systems where the attackers checked if they could connect to the card processing system after taking control over the bank’s network. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one.Toolkit
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the firstname.lastname@example.org format.
By analysing the attack infrastructure, Group-IB identified that the group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB.