Reports are coming in from news sources on a recent cyberattack that left Russia-based PIR Bank with a significant financial loss. As reported by Bleeping Computer’s Catalin Cimpanu, PIR Bank noticed that something was seriously wrong and brought in the cybersecurity firm Group-IB to investigate the incident. The damage was already done by this point, with a minimum of $920,000 having been stolen, but Group-IB needed to understand what caused the breach to prevent it from happening again. The hack was carried out by the notorious MoneyTaker, who Group-IB stated was implicated by “irrefutable digital evidence” that the collective was involved. Group-IB was key to discovering MoneyTaker last year and since then have become experts on their modus operandi, publishing reports on the criminal enterprise. The evidence that it was MoneyTaker came from intensive study of PIR’s internal servers and infected workstations.
Even more unnerving about this attack was how it was able to be carried out. The entry point for the hackers was an outdated router at a regional branch that was accessed in May. With access to the internal network, MoneyTaker was able to infect numerous areas of high interest in preparation for the digital heist. The level of professionalism that MoneyTaker operates with allowed them to remain undetected until they reached the main network and the AWS CBR account needed to withdraw the money.
Cimpanu describes the attack and aftermath as follows:
On July 3, MoneyTaker used this system to transfer funds from PIR Bank’s account at the Bank of Russia to 17 accounts they created in advance. Moments after the stolen funds landed in these accounts, money mules withdrew it from ATMs across Russia. PIR Bank employees discovered the hack a day later, on July 4, but by that moment it was already too late to reverse transactions.
Though MoneyTaker did leave a paper trail behind that allowed Group-IB to uncover who carried out the hack, the damage was already done. The black hats had made off with a strong payday and another notch in their belt of exploits. The reality is that all of this could have been avoided had PIR taken security more seriously and updated their hardware. Let this attack be a lesson and a warning; all it takes is one opening — in this case, an outdated router — to give cybercriminals the “in” they need.
Featured image: Flickr / Damian Gadal