A group of bank hackers stole at least $920,000 from the leading PIR Bank of Russia. This was achieved by the successful compromise due to the outdated, unsupported Cisco router at a branch office of the bank. The hackers made use of the faulty router for tunneling into the local network of the bank to perform the breach successfully.

Sergey Nikitin, a digital forensic expert with a leading cybersecurity and incident response firm based in Moscow, stated that the faulty router was a Cisco 800 Series router with an outdated OS version, 12.4. The support for this router ended in 2016.

The hacking attack came into light after the daily political and financial newspaper of Russia,  “Kommersant”, on July 6 reported that the PIR Bank of the country has lost at least $920,000 (58 Million Rubles). The incident came into light after the hackers transferred the major amount of money out the bank account at the PIR Bank of Russia.

PIR Bank of Russia has been able to recover  partial amount of the funds. However, the majority of the money that was transferred by the hackers still remains lost.

In-depth Investigation

More in-depth details about the attack have been released by Group-IB.  This group was hired by the country’s PIR Bank for investigating the attack.

Gro-IB discovered some attack details by the extensive utilization of PowerShell scripts which to understand the attack used on the automated parts and networks of the attack.   The group refers to the attacker as the “MoneyTaker.”

MoneyTaker serves to be one of the three most active cybercrime groups in Russia. The other two include Silence and Cobalt. These groups are known for regularly targeting the financial institutions in the country. The firm claims that this has been the fourth time in a single year that MoneyTaker has gained successful access to the network of the banks through the exploitation of bank branch routers.

How Hackers Made the PIR Bank Infiltration Successful?

Group-IB claims that the hackers started their attack during late May through the exploitation of the outdated router.

Nikitin states that the exploitation of the router would not have been an immensely difficult technical task. He further adds that it is impossible to find out which CVE was utilized. It could simply be due to brute-forcing. The process of brute-forcing a specific router would imply hampering it with login requests by running some dictionary attack that aimed at using several different usernames and passwords until a single combination would allow the attackers to gain remote access successfully.

Group-IB claims that it has identified the reverse shells and the system administrators of the PIR Bank have scrubbed them off from the network of the bank.