GEC NEWS WIREGroup-IB has released a report detailing the operations of a Russian-speaking targeted attack group dubbed by Group-IB as MoneyTaker. In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms around the world. Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed. The first attack that Group-IB attributes to this group was conducted in the US in May 2016 while the most recent attack took place in November 2017 in Russia.
“Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” says Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence.
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the first.last@yandex.com format.
“At Group-IB, we are committed to protecting our clients from vulnerabilities by providing them with comprehensive threat intelligence and robust cybersecurity solutions,” said Tarek Kuzbari, Managing Director for the Middle East, Turkey, Africa and South Asia at Group-IB.
By analyzing the attack infrastructure, Group-IB identified that the group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB.
