Despite its significant success, the attacks have so far gone unreported. According to Group-IB, the hackers also targeted law firms and financial institutions, with 20 different companies confirmed so far. Of those, 16 were in the US, while 3 were in Russia and 1 in the UK. The group constantly changed its tactics to avoid detection while also removing all traces of an intrusion.
A Large-scale Operation
MoneyTaker’s first attack came in spring 2016 when it gained access to First Data’s STAR network operating portal. From there, it attacked companies across the United States, as well as banks. Group-IB was able to link the attacks via re-used and withdrawal schemes, as well as their spying tactics. It seems the group had a distributed infrastructure and were present after the attack, stealing corporate documents and emails. Documents include admin guides, internal regulations and transaction logs, all in preparation for future attacks. The tools used by MoneyTaker were a combination of self-written and borrowed tools. Screenshot and keylogger tools were essential, as well as a tool called MoneyTaker v5.0, which replaced fraudulent payment orders made by the group. The group also made use of legitimate pen-testing tool Metasploit to gain access to the system and look for further vulnerabilities. The Malware it deploys is ‘fileless’ meaning its hidden in RAM and destroyed after the system restarts. In some attacks, the group was able to gain access bank’s card processing system, and then legally opened accounts. Criminals would then go to ATMs in person and withdraw money with hacked overdraft and withdrawal limits. Each attack enabled an average $500,000. However, though Group-IB has identified the group, it doesn’t mean their days are over. Co-Founder Dmitry Volkov warns will provide organizations with the data to connect the attacks in the future. “Incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice,” Volkov says. “Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations.” You can read Group-IB’s full report on its website.