A team of researchers from cybersecurity firm Group-IB discovered that a hacking group that was previously undetected was behind a bank theft totaling to about $10 million.
The theft involved at least 20 banks from the United Kingdom, the United States and Russia.
The research firm, which is based in Moscow, stated in a recently released report that a group of hackers known as “MoneyTaker” committed the theft in two years after attacking the interbank transfer system.
Group-IB called the group of Russian-speaking hackers “MoneyTaker” because they used software with the same name to hijack payment orders and withdraw cash that was picked up by hired “money mules” from various ATMs.
Group-IB warned that the cyberattack, which started around two years ago and allowed cash to be stolen from various ATMs, was still ongoing and there was a high chance that banks in Latin America will be the next target for the MoneyTaker group.
Over 18 months, the MoneyTaker hacking group carried out more than 20 successful cyberattacks on financial institutions and legal firms based in the U.K., the U.S. and Russia.
The group managed to successfully attack 16 firms in the U.S., which was estimated to cost an average of $500,000.
The hacking group also made big money from attacking their local banks, where they made $1.2 million dollars after attacking three Russian banking institutions.
It was not established how much money was stolen from the IT firm based in the U.K.
Despite the amount of money that was stolen by this hacking group, nobody knows the name or faces of these hackers. The reason the MoneyTaker group has not yet been detected is because they are careful about hiding their tracks.
They do this by utilizing different tactics and tools in every attack to ensure they don’t leave traces behind that could make it easy for investigators to track them down.
The MoneyTaker group committed their cybercrimes by targeting card processing systems in addition to the AWS CBR, which refers to the Russian Interbank System, as well as SWIFT in the U.S.
The first cyberattack was discovered last year when cash was stolen from a bank in the U.S. by manipulating the First Data network known as STAR.
First Data is considered to be the largest messaging system for financial institutions, connecting more than 5,000 organizations.
In a statement that was released by First Data, it was revealed that some small financial firms on the STAR network had their credentials breached after using debit cards in early 2016.
This led to First Data implementing new security controls that were compulsory.
Another reason why this hacking group has not been discovered is because they are employing publically available tools and customized malware.
For example, they utilized the code that was publically showcased at a 2016 cybersecurity conference called ZeroNights.
The hacking group also employs tools like Metasploit, which is commonly used by network administrators.
Additionally, MoneyTaker utilizes a file-less malware as well as fake SSL certificates that are derived from big brands like Microsoft, Bank of America and Yahoo.
However, one tool that attracted a lot of interest is known as MoneyTaker v5.0, which inspired the naming of the hacking group.
This tool is capable of searching for payment orders and changing them, including erasing logs and replacing payment details.
Researchers from Group-IB also discovered that this hacking group was able to steal documentation used in technologies for more than 200 banks in Latin America and the United States.
That means the MoneyTaker hacking group can still commit their cybercrimes in the future.
According to Group-IB, investigations are still ongoing and they are working with the Russian government and Europol to discover the identity of these hackers.