Group-IB identifies hacker clan, MoneyTaker

Security researchers at Group-IB, a leader in preventing and investigating high-tech crimes and online fraud, have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker. Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three on Russian banks and one against a Brit IT company. In addition to banks, MoneyTaker has attacked law firms and financial software vendors.

The group has conducted more than 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia in the last two months alone, according to the research firm. MoneyTaker has primarily targeted card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).

By constantly changing their tools and tactics to bypass antivirus and traditional security solutions, and most importantly carefully eliminating their traces after completing operations, the group has largely gone unnoticed.

According to Dmitry Volkov, Group-IB co-founder and head of intelligence, “MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.”

The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data’s “STAR” network operator portal. In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; six on banks in the US, one attack on a US service provider, one attack on a company in the UK (providing financial software) and two attacks on Russian banks. In 2017, the number of attacks has remained the same with eight US banks, one law firm and one bank in Russia targeted. The geography, however, has narrowed to only the US and Russia.

“Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and free email services,” Group-IB added.

After infection, the group normally erases malware traces. However, when investigating an incident in Russia, Group-IB managed to discover the initial point of compromise: hackers penetrated the internal network by gaining access to the home computer of the system administrator.