A new Russian hacking group targeting banks, law firms and financial software companies has been identified by security forensics company Group-IB.
Called MoneyTaker, the group conducted more than 20 successful attacks on both financial institutions and law firms in the US, UK and Russia over the past two years, according to Group-IB.
"Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported," claimed Group-IB in a blog posting.
It continued: "In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three attacks on Russian banks and one in the UK.
"By constantly changing their tools and tactics to bypass anti-virus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed."
According to Group-IB, the first attack conducted by the group was in spring 2016, when MoneyTaker gained access to payment technology company First Data's Star network portal.
In total, the group was behind 10 attacks during 2016, including six on banks in the US, two on banks in Russia and one on a bank in the UK, as well as the First Data attack.
In 2017, Group-IB claims that MoneyTaker was behind attacks on eight US banks, one law firm and one Russian bank.
Group-IB researchers claim to have discovered connections between all 20 incidents in 2016 and 2017. "Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes - using unique accounts for each transaction.
"Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services," claimed Group-IB.
The group has also made use of Citadel and Kronos banking Trojans as part of their attacks, with Kronos deployed to deliver point-of-sale malware in one attack.
"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," says Group-IB co-founder and head of intelligence Dmitry Volkov.
He continued: "In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.
"Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations".
Wikileaks Vault 7 suspect Joshua Schulte fingered by FBI after re-using smartphone passwords on his PCs
Joshua Schulte indicted on 13 counts relating to Vault 7 leaks and trading in images of child abuse
Alexa for Hospitality will link with existing systems so guests can order room service and control the air con
Massive volcanic eruptions could have warmed Mars' surface sufficiently for oceans to form
Examination of fruit flies' brains generated more than one billion data points for scientists to analyse