Robbery is attributed to the criminal group known as MoneyTaker
A group of hackers stole at least $920K from Russian PIR Bank after successfully compromising an outdated and non compatible Cisco router in a local branch, using it as a method of accessing the bank’s local network, as reported by experts in enterprise data protection services.
Security reports claim that the compromised device was a Cisco 800 Series router, with iOS 12.4, which stopped receiving updates since 2016.
The robbery was publicly disclosed after the Russian political and financial newspaper Kommersant reported on July 6 that PIR Bank lost at least 58M rubles ($920K) and possibly much more, after hackers transferred money from the account of the Bank of Russia, which is the central bank of the country.
PIR Bank was reportedly able to recover some funds, but most of the money transferred seems to have been disappeared.
Further details about the attack have been published by the expert group in enterprise data protection services in charge of the case investigation. Based on the techniques used by the hackers, such as the use of PowerShell scripts to gain persistence in the bank’s networks and automate some steps of the hack process, it is believed that the Russian gang MoneyTaker is responsible for the attack.
MoneyTaker is one of Russia’s three most active cyber crime gangs, the others being Cobalt and Silence, which regularly direct their attacks to the financial services sector.
Specialists in enterprise data protection services add that this is at least the fourth time this year that MoneyTaker has been able to access a bank’s network by exploiting one of its routers.
A report on MoneyTaker was published in December 2017 affirming that the gang primarily targets small community banks, and that, since 2016, it would have stolen nearly $10M from at least 20 financial services firms, based in Russia, United Kingdom and the United States.
How do hackers got into the bank`s network?
Specialists in enterprise data protection services believe that the attack began in mid-May, exploiting the router in question, which does not require further technical efforts, as it could be intervened simply with a brute force attack.
From the router to the net
After the router exploiting, the hackers used it to tunnel through the bank’s main network. From there, they managed to access the the automated workstation client of the central Bank of Russia, which is an interbank messaging system designed for transfers of funds similar to the SWIFT system.
After accessing the automated workstation, hackers were able to generate payment orders and send money in several tranches to the different pre-established accounts.