MoneyTaker hackers reportedly steal £7.5m from ATMs

Russian-speaking hackers are suspected of stealing nearly $10m (£7.5m) from 20 companies in Russia, the UK and US.

The MoneyTaker group removed overdraft limits on debit cards and took money from cash machines, according to a report by cybersecurity firm Group-IB.

It also stole documentation for technology used by more than 200 banks in the US and Latin America.

The documents could be used in future attacks by the hackers, according to the report.

Group-IB has worked with both Europol and the Russian government to investigate cybercrime.

Kevin Curran, an independent expert and professor of cybersecurity at Ulster University, said the attacks were “as sophisticated as it gets at this moment in time”.

“It really is perfect in some ways,” he told the BBC. “They’re able to compromise systems and then extract all the documents for how a banking system works so that they have the intelligence needed to produce fraudulent payments.”

MoneyTaker – named by Group-IB after the group’s custom malware – has reportedly netted an average of $500,000 in 16 attacks against US companies and $1.2m in three attacks against Russian banks since May 2016.

It also targeted a UK-based software and service provider in December 2016, according to the report.

The Financial Conduct Authority and UK Finance declined to comment when contacted by the BBC.

‘Eliminating their traces’

MoneyTaker avoided detection “by constantly changing their tools and tactics” and “eliminating their traces after completing their operations”, according to a statement from Group-IB.

In its earliest-known attack, the group compromised First Data’s Star network – a debit card processing system used by more than 5,000 banks.

The attackers then removed or increased cash withdrawal and overdraft limits on legally opened credit and debit cards. “Money mules” were sent to withdraw funds from cash machines.

The group used a combination of publicly available tools and custom-written malware to access banking systems – including “file-less” software that is stored in a computer’s memory rather than its hard drive, where it can be more easily detected, according to Group-IB.

In at least one instance, the group used the home computer of a Russian bank’s system administrator to access its internal network, according to the report.

“If someone is targeted by experts, that’s very hard to protect against,” Prof Curran said. “They’re going to persist until they get into the computer.”

Other tactics included changing the servers used to infect banking systems’ networks and using secure sockets layer (SSL) certificates – data files that verify a web browser’s authenticity – that appeared to be issued by big names such as the Federal Reserve Bank.

‘The next targets’

In addition to money, the hackers were also after internal banking system documentation, such as administrator guides, internal instructions and transaction logs, according to the report.

Documentation was stolen during MoneyTaker’s attacks on the Russian Interbank payment system, which operates similarly to Swift. That documentation could be used “to prepare further attacks” on banks using the technology, according to Group-IB.

OceanSystems’ FedLink card-processing system, a wire transfer product used by more than 200 banks in the US and Latin America, was also compromised.

“Banks are increasingly spending more on security, but the hackers only have to find one way in and they have to protect all the ways in,” said Prof Curran.