A group of Russian-speaking hackers reportedly stole more than $10 million dollars from ATMs in the United States, United Kingdom, and Russia, according to a report from Moscow-based cybersecurity firm Group-IB.
The report says the group, dubbed “MoneyTaker,” successfully stole funds from 20 financial institutions and law firms in the past 18 months by targeting electric fund transfer networks like the Society for Worldwide Interbank Financial Telecommunication, better known as SWIFT. Of the nearly two dozen attacks, 16 were on U.S. organizations, three targeted Russian banks, and one was in the UK.
In the U.S., the group allegedly attacked banks—mostly small community businesses in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia, and Florida. It went unnoticed for a year and a half.
The first attack happened in spring of 2016 when money was stolen from a bank by breaching its “STAR” network, a bank transfer messaging system that connects 5,000 ATMs in the U.S. According to Group-IB, the hackers used a process that is “extremely simple.” The average amount of money per hack stolen from U.S. ATMs was $500,000. In Russia, $1.2 million was stolen per attack.
After hacking a bank’s network, the attackers legally opened ATM cards with that bank, the report explained. The criminals would then increase or remove cash withdrawal limits for the cards, allowing them to pull large amounts of cash.
The cybersecurity firm was able to determine the 20 incidents came from the same source in part because of the steps the hackers took to avoid detection.
“We managed to discover the initial point of compromise,” the report said. “Hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.”
MoneyTaker employed different tools and strategies for infiltrating banks and stealing internal documents. It then used those documents to gain access to funds. The MoneyTaker v5.0 malware the group is named after would search and modify payment orders, replace original payment details with fake ones, and then erase all traces. Once the attack was complete, the hackers would continue to spy on infected banks.
“Criminals have changed tactics and are now focusing on banks rather than their clients, as was standard operating procedure in the past,” Dmitry Volkov, head of Group-IB’s cyber intelligence department, told the Hill.
Group-IP said it gave Interpol and Europol a detailed report about the MoneyTaker group. It warns banks in Latin America, which rely heavily on STAR, could be targeted next.