Hunting the invisible

SecurityMEA speaks with Tarek Kuzbari, Managing Director – Middle East, Africa, Turkey & South Asia, Group-IB where he sheds light onhow the company uncovered the targeted hacker group dubbed MoneyTaker and what needs to be done to protect against such advanced threat actors.

How was Group-IB able to discover the hack by a group that remained unnoticed for almost two years?

It was very challenging work for the Group-IB Threat Intelligence team. The MoneyTaker group had been going unnoticed for a long time, by carefully eliminating their traces after completing operations.

Also, it is easy enough to attribute an incident when hackers use unique malware since such distinguishing tools usually enable our team to ascribe several attacks to one hacker team. However, MoneyTaker purposefully concealed all elements of attribution to slip under the radar.

Were you able to identify the origin of these attacks? Apart from the US, UK and Russia, which countries suffered the most?

We did not detect any geographical pattern in MoneyTaker’s activity. They usually chose small banks, which typically have a low level of information security. This explains the large scale of successful penetration into banks and other organizations in a relatively short time.

As for the origin of MoneyTaker, we’re sure that several Russian-speaking members are engaged. All attacks on the Russian banks aimed at stealing funds are conducted only by groups which know the Russian language for the following reasons:

  • The language barrier. To carry out an effective attack, knowledge of the language might be crucial. It is especially relevant for specific internal systems, which are used only in Russia, like AWS СBR.
  • Money laundering. A hacker can be skilled enough to penetrate the network of any bank but he needs specialists who can provide the service to rob it. Moreover, these people must be trusted otherwise there is a considerable risk that the attacker will never receive withdrawn funds. Such relations cannot be established quickly, and if you do not speak the same language, then it is almost impossible to develop them.

MoneyTaker attacked banks in Russia through AWS СBR, which immediately indicates that hackers speak Russian. Apart from this, we have confirmed that they rented servers in Russia, through Russian-speaking hosting services, employed the code used by Russian-speaking hackers and Russian free e-mail services: Yandex and

What ultimately led to their being caught, considering that they were changing attack tactics and clearing their tracks after the attack?

In detected incidents, criminals used a program that should have carefully removed all components of the programs applied. However, due to an error made by the developer, the data were not deleted from the attacked machines, which enabled forensic experts to learn details of the hackers’ activity.

While investigating one of the incidents, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.

Also, incidents occurred in different regions worldwide, and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice.

What happens now that the group has been identified? Can they be tracked, caught, stopped or will it be business as usual for them with specific changes in their tactics?

As is evident from past incidences, while cyber criminals have been able to operate with impunity, they have also been brought to justice. We need to be vigilant and employ safe practices to ensure that the hackers can be slowed down, if not stopped.

Since getting breached in inevitable, it then becomes essential for a company like Group-IB to coordinate their findings with international law enforcement, such as Europol and Interpol, to help in any on-going investigations which could lead to arrest. We are doing just that and will see what the future has in store for this group. Group-IB specialists expect new thefts shortly and to reduce this risk, Group-IB would like to contribute our report identifying hacker tools and techniques.

Is there any way to avoid such hacks? How can Group-IB help organizations avoid falling victim to such incidents?

With over 14 years of digital forensic and investigation experience, Group-IB has built a global threat intelligence gathering network spread in six continents. It helps major corporations respond and react to the most sophisticated cyber-threats.

In our report, we provide detailed recommendations for IT specialists, describing the critical preventive measures (to protect interbank payment systems and card processing), which must be taken to minimize the risk of attacks from MoneyTaker and similar groups.

Also, Group-IB report contains indicators of compromise which can be used by bank security specialists to check if the threat actors are active in their environment or have circumvented their security defences in the past.