Skip to main content


MoneyTaker Steals Millions from the Financial Sector

MoneyTaker Steals Millions from the Financial Sector

Hackers Targeting US Financial Institutions

Once again, we find the financial sector as the target of a string of attacks making its way across the United States and Russia. Last week, Group-IB uncovered a series of attacks performed by the hacker group known as “MoneyTaker.” The group was reported to have conducted over 20 successful attacks in 2016 and 2017. While the attacks included coverage of the US, Russia, and the UK, the majority of attacks were directed at organizations within the United States, as 14 of the 16 targeted attacks were directed at US financial institutions. It is currently estimated that out of the 20 attacks carried out by MoneyTaker, a total of over $11 Million has been stolen along with sensitive information that was exfiltrated.


How The Attack Was Performed

Researchers were able to correlate the large number of attacks through the tools and methods used in MoneyTaker’s attacks. While the group showed expertise in creating their own tools, including a keylogger and ‘screenshotter’ to gather information, they also created programs to automatically substitute payment details in different interbank transfer systems. Not all the tools used in the attacks were created by the hacking group, as some of the tools used were “borrowed,” including such tools as:

  • Metaspoit - A common penetration testing tool which was used to gain access to the target's network
  • Citadel – A malware distribution toolkit primarily used for distributing malware that steals credit card/bank account information and credentials
  • Kronos – Another banking Trojan that was used to deliver Point-of-Sale Malware during the attacks
  • Privilege escalation tools that were demonstrated at Moscow’s 2016 ZeroNights cybersecurity conference as proof of concept

MoneyTaker also utilized other methods during these attacks, ranging from eliminating all traces of malware on infected systems once they had successfully infected a network to using the names of well-known brands like Bank of America, the Federal Reserve Bank, Microsoft, Yahoo, ETC when generating the SSL certificates to protect command-and-control server communication. Understanding these common methods and tools led to Group-IB identifying the first attack, which was performed back in 2016. The following is a description of the attack process from Group-IB's report:

“The scheme is extremely simple. After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.”

But the attack does not end there. Researchers found through analyzing identified attacks that the group also worked towards exfiltrating data to prepare for future attacks. Documents stolen included items such as admin guides, internal regulations and instructions, change requests forms, transaction logs, and more.


What Can We Learn

With stories like this, there is always going to be something for us to take away and learn, allowing us to improve our security and our ability to prevent attacks such as the one described in this blog post. Here are a couple of considerations you may want to think about to prevent an attack on your organization:

  • If an attacker were inside your network, how would you know? This is the #1 question organizations must ask themselves regularly. If your answer is “I have no idea,” please find a way to answer the question in order to detect an attack before it’s too late. The average time an attacker is in a victim’s network before being detected is 180 days.
  • Testing is incredibly important for a network’s security. Metasploit, a tool that was integral in the attacks conducted by MoneyTaker, was used to search for vulnerabilities, exploit those vulnerabilities, escalate privileges, and collect information. But Metasploit, like many other network security tools, is not just used by the bad guys. These are numerous tools also used by network security experts to help secure networks; the big difference is that an expert identifies and reports weaknesses and vulnerabilities for the organization to fix, while a hacker exploits those weaknesses to harm or steal from the organization. Make sure you are testing your network regularly, and always be sure to respond to any findings identified in that test. Remember, if you have identified vulnerabilities through a test, a hacker may be able to see and exploit those vulnerabilities as well.
  • We are all targets. A common pitfall for a business is assuming that an attack like this will never happen to you. But one thing that is reinforced by this attack is that smaller to medium-sized businesses are pretty inviting targets for a hacker. The smaller the business, the less likely they are capable of adequately protecting their systems and information. Don’t wait until something like this happens to your organization. Build cybersecurity into your business culture and ensure you are not an easy target.

Written by: Cole Ponto

Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • {CyberByte Video} Incident Response - Threat Intelligence Sources and Investigation Apps: Do you know what normal looks like on your network? Incident Response can be tricky. Many organizations have an Incident Response Plan in place, but don't know how to detect and resolve a potential incident. What can be done to investigate the incident, eradicate the threat, and save the evidence? This CyberByte video will discuss a variety of tools that will help you better monitor your network and how you can define an incident once one has been discovered.  Watch Video
  • {CyberByte Video} Builidng a Culture of Cybersecurity: It's time to shift our thinking when it comes to security awareness training. Yearly education and testing just doesn't cut it in today's cyber world. Security awareness is a topic we should have in front of our people on a much more consistent basis. Watch Video
  • {Service} Network Security Testing: SBS performs network security testing that is tailored to the size and complexity of each organization. We provide each of our partners with a personalized experience from start to finish. Learn more

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Vulnerability Assessor   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Thursday, December 21, 2017
Categories: Blog