Bank Hackers Exploit Outdated Router To Steal $1 Million USD

Group-IB, one of the global leaders in preventing high-tech crimes and providing high-fidelity threat intelligence and anti-fraud solutions, is conducting incident response on an attack on PIR Bank (Russia), which resulted in the theft of 1 million US dollars, conducted by the MoneyTaker hacking group.

Funds were stolen on July 3rd 2018 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT), transferred to 17 accounts at major Russian banks and cashed out. After that, the criminals tried to ensure persistence in the bank’s network in preparation for subsequent attacks, but were detected and removed by Group-IB incident responders.

According to Kommersant newspaper, PIR Bank lost around $920,000 (which is a conservative estimate) from their correspondent account at the Bank of Russia. PIR Bank officially confirmed the attack initially, adding at that time they were unable to determine the exact amount of losses. PIR staff managed to delay withdrawal of some stolen funds, but it is clear that most are lost. In order to respond to the incident, PIR Bank staff engaged Group-IB.

Group-IB says attackers began their attack in late May by exploiting the outdated router.  Nikitin at Group-IB says exploiting the router would not have been difficult, technically speaking.

“Nothing amazing [required], like a zero-day exploit. It is impossible to determine which CVE was used; of course there was no syslog or anything like that – it could simply just have been brute-forced,” he says.

After exploiting the router, the attackers used it to tunnel into the bank’s main network. From there, they managed to gain access to the bank’s Automated Work Station Client of the Russian Central Bank, or AWS CBR, which is an interbank messaging system designed for fund transfers that’s similar to the SWIFT messaging system.