A top cybersecurity firm says it has identified a previously unknown group of Russian-speaking hackers who have allegedly stolen at least $10 million from U.S. and Russian banks over the past year and a half.
Interested in Russia Investigation?Add Russia Investigation as an interest to stay up to date on the latest Russia Investigation news, video, and analysis from ABC News.
The group, named the "Money Takers" after a software tool they use, allegedly targeted banks across the United States, breaking into at least 15 lenders in Utah, New York and California, and also stole at least $3 million from Russian banks, according to a report from the Moscow-based cybersecurity firm IB-Group obtained by ABC News.
The group also stole materials indicating it may be preparing to mount fresh attacks on institutions in Latin America, the report said, and could be trying to breach the Swift international banking messaging system that carries a huge number of the world's financial transactions.
Beginning in May 2016, the group mostly targeted card payment systems belonging to small community banks in the U.S., before then striking a transfer system used between Russian banks, IB-Group said. The hackers focused on small U.S. banks with fewer resources to put into cyberdefenses, according to the report, succeeding in stealing an average of $500,000 from each.
Having broken into the banks' card payments systems, the hackers would open accounts and remove withdrawal limits on legitimate cards, according to details in the report. So-called 'mules'-- criminals with the cards -- would then go to an ATM and take out money, IB-Group said.
In a statement, First Data said that a number of small financial institutions operating on the STAR network had had their credentials breached for administering debit cards earlier in 2016, leading First Data to implement new mandatory security controls. It said the STAR network was never itself breached.
The Money Takers also attacked the servers of Russia’s AWS CBR interbank transfer system -- a Russian system similar to Swift linked to Russia's Central Bank -- according to IB-group. The criminals succeeded in breaking into an unnamed Russian bank by first gaining access to the home computer of the bank's system administrator, according to the cybersecurity researchers, IB-Group says. They then took control of the bank's AWS CBR system to make payments to themselves. IB Group named the hackers after the tool used in this attack, MoneyTaker V.5.
The scheme allowed the hackers to steal about $1.3 million through attacks in Russia. This autumn, the ring tried again to compromise the same bank transfer system, but were thwarted from stealing any money.
Russia’s government hacking programs, as well as the suspected collaboration between the country’s intelligence services and its cybercriminals, have attracted intense attention since allegations that Moscow used cyberattacks to try to influence the 2016 U.S. presidential election.
Russia has also suffered an increasing amount of serious cyberattacks, most recently with the Bad Rabbit ransomware virus that hit Russia and Ukraine last month, at one point crippling Russia's largest independent newswire, Interfax, that also carries financial news.
IB-Group, which says it has one of the largest forensics computer laboratories in eastern Europe, said that the Money Takers also reflected a broader trend of cybercriminals increasingly targeting banks instead of their clients, as improved security makes fraud against individual customers less profitable.
"What we see in recent years is for targeted attack groups to actually target the bank itself, rather than the client of the bank," Nick Palmer, the director of international sales at IB-Group told ABC News in an email. "As tools to defend against common malware and other types of fraud which target banking customers get better, the return on investment becomes lower."
Criminals are looking more often for larger payoff from one-off hits.
Palmer's colleague Tim Bobak from IB-Group's threat intelligence outreach unit said, "It's easier to steal 5 million once than 1,000 [dollars] 5,000 times."
The Money Takers used unusually sophisticated malware to conceal their attacks, according to IB-Group. The ring employed so-called fileless malware that exists only on a computer’s temporary memory that is deleted when it reboots, making it hard to detect. The hackers also further hid their break-ins with malware that generated encryption certificates from well-known brand names, such as Bank of America and Yahoo.
So far, IB-Group said it had not found any indication that the Money Takers had succeeded in breaking into SWIFT, but warned that it expected the group would likely try to compromise it at some point.
While carrying out their attacks, the ring sought out internal documents within the banks’ systems, including those relating to the SWIFT system, the IB-Group report said. In particular, the hackers stole documents on a product used in money transfers, called FedLink, that has 200 customers in Latin America, IB-Group noted.
"We assume that banks in Latin America may become the next target of this group," the report read.
In an October statement, Reuters reported, SWIFT said hackers were still attempting to breach its system but that increased security measures taken last year had thwarted the attempts.
The extent of the Money Taker's activity is still unknown, the report continued, and the cybersecurity firm believes there are more attacks it has not uncovered.