MoneyTaker has primarily targeted financial telecommunication systems, including SWIFT. In addition to financial institutions, the group has attacked law firms and financial software vendors. At least 20 companies were attacked by MoneyTaker, including 16 attacks in the U.S., three attacks in Russia, and one attack against an IT-company in the UK, reported Group-IB.
MoneyTaker constantly changes tools and tactics to bypass security solutions, and the gang carefully eliminates any trace of itself after completing the attacks.
"At least one U.S. bank had documents successfully stolen from their network twice," said Dmitry Volkov, Group-IB co-founder, adding that new thefts are expected in the near future.
Group-IB identified MoneyTaker’s tools and techniques when it uncovered the first attack in the U.S. in spring 2016. Funds had been stolen from a bank by gaining access to First Data’s STAR network operator portal via compromised bank workstations.
Hackers were able to lift withdrawal limits on legitimate gift cards, and withdrew large amounts across the country with the help of money mules – criminals who withdraw money from ATMs.
Since then, the group has attacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida. The average damage caused by one attack was about $500,000 USD.
MoneyTaker hackers tend to stick around after their crimes, continuing to spy on targeted banks, said Group IB. They also pilfer internal bank documentation to learn about bank operations and prepare for future attacks. Stolen documents include admin guides, internal regulations and instructions, as well as transaction logs.
In hopes of catching the MoneyTaker criminals, Group-IB passed all their research and information to Europol and Interpol.