Pirates belonging to the Monkey Tear group on July 3 robbed the Russian PIR bank of 1 million USD. The hackers infiltrated the bank’s systems by compromising an old obsolete router. This router was “installed in one of the bank’s regional branches”. The money has been stolen via an interbank funds transfer system : the Automated Workstation Client (AWC). After the operation, the hackers ensured that the bank’s network remained compromised in order to attack other systems. Besides, the piracy occurred five weeks after the acquisition of the bank’s network. However, investigators detected the flaw.
The Monkey Tear group is said to be a proponent of successful cyber attacks against banks, including 20 successful attacks against various financial institutions and law firms in Russia, the United States and the United Kingdom. According to security researchers at Group-IB’s forensic laboratory, the group is very adept at concealing its own malicious acts. The group’s brand was therefore recognized due to the similarity of the techniques, procedures and IP addresses used in the campaigns. Their technique consists in obtaining access to a targeted network over several months to reach the domain administrator level while remaining active within the network just before the attack. The free tools used are none other than Microsoft PowerShell and some Visual Basic scripts and the Metasploit framework. They also used their own malware such as MoneyTaker v5.0, “malware that has no files and only exists in the computer’s memory.
Cyberattacks against banks and financial institutions are quite common. Traditional networks that use the “login and then authentication” model such as the PIR bank are more easily accessible by hackers. They can scan networks that search for devices and ports using common hacking tools. On the contrary, networks defined by SDN software have the advantage of having an “authentication then connection” model that makes them invisible and difficult to access. This makes it more difficult for attackers to exploit routers.