Hackers steal $910,000 from Russia’s PIR Bank

The hacker group MoneyTaker stole about $910,000 from the Russian PIR Bank earlier this month. The hacker‘s attack on PIR Bank began in May when they first invaded a router in the bank’s branch and used it as an entry to access the bank’s local network. When MoneyTaker invaded the PIR Bank main network, they managed to gain access to the Automated Work Station Client of the Russian Central Bank (AWS CBR), generated a payment slip, and transferred the money to the money dice account that was prepared in advance.

On the evening of July 4, when bank employees discovered a large number of unauthorized transactions, they asked regulators to block the AWS CBR digital signature key, but they failed to prevent the transfer of funds promptly. Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

Simultaneously, the attackers used a technique characteristic of MoneyTaker to cover their tracks in the system–they cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation.

The attacker used a variety of malicious programs, one of which is MoneyTaker v5.0. Most malicious programs are stored in memory only and are not saved to the hard disk.

Source: arstechnica