According to a Moscow-based security firm, a previously undetected group of Russian-language hackers stole nearly $10 million from at least 18 banks — banks stolen from were mostly U.S. and Russian. The hackers acheived this in recent years by targeting interbank transfer systems.
Group-IB, a firm dedicated to preventing and investigating high-tech crimes and online fraud, warned that the attacks allowed money to be robbed from bank automated teller machines (ATMs), the attack began 18 months ago and it appears to be ongoing. According to the company, banks in Latin America could be targeted next.
A report by Group IB states that in the spring of 2016 the first attack occurred against First Data’s <FDC.N> “STAR” network, the largest U.S. bank transfer messaging system connecting ATMs at more than 5,000 organizations,
Investigation is currently going on a number of incidents where hackers studied how to make money transfers through the SWIFT (Society for Worldwide Interbank Financial Telecommunication) banking system, while stopping short of saying whether any such attacks had been carried out successfully.
SWIFT on the other hand, said that although hackers were still targeting its interbank messaging system, security controls instituted after last year’s $81 million heist at Bangladesh’s central bank had thwarted many of those attempts.
18 banks so far had been identified to be affected including 15 across 10 states in the United States, two in Russia and one in Britain. Apart from banks, financial software firms and a law firm were also targets.
As reported by Group-IB, the average amount of money stolen in each of 14 U.S. ATM heists was $500,000 per incident. Losses in Russia averaged $1.2 million per incident, but one bank there managed to catch the attack and return some of the stolen funds.
The hackers also stole documentation for OceanSystems’ Fed Link transfer system used by 200 banks in Latin America and the United States. In addition, they successfully attacked the Russian interbank messaging system known as AW CRB.
As soon as the hackers penetrated targeted banks and financial organizations, they stole internal bank documentation so as to mount future ATM attacks, Group-IB said. In Russia, the hackers continued to spy on bank networks after break-ins, while at least one U.S. bank had documents robbed twice, it said.
In order to go unnoticed, the hackers used a mix of constantly changing tools and tactics to bypass anti virus and other traditional security software while being careful to eliminate traces of their operations. In order to disguise their moves, they also used security certificates from brands such as Bank of America, the Fed, Microsoft and Yahoo.
Group-IB has dubbed the hacker group “MoneyTaker” after the name of software it used to hijack payment orders to then cash out funds through a network of low-level “money mules” who were hired to pick up money from automated teller machines. The company has also notified Interpol and Europol in order to assist in law enforcement investigations.
Group-IB is an international company dedicated to preventing and investigating high-tech crimes and online fraud. The company develops software and hardware solutions for proactive cyber defence based on the latest threat intelligence data.
In 2017, the company became the leader of Russia Threat Intelligence Security Services Market Analysis conducted by IDC and became one of Top-5 Threat Intelligence vendors in Forrester’s Vendor Landscape: External Threat Intelligence, 2017 report. Group-IB’s head office is located in Moscow, Russia.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutionsworldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.
The majority of international interbank messages use the SWIFT network. As of 2015, SWIFT linked more than 11,000 financial institutions in more than 200 countries and territories, who were exchanging an average of over 15 million messages per day. SWIFT transports financial messages in a highly secure way but does not hold accounts for its members and does not perform any form of clearing or settlement.