Cyber Incident Victim: PIR Bank of Russia

On July 3, 2018, cybercriminals associated with the MoneyTaker group stole approximately $1 million from PIR Bank of Russia by exploiting an outdated router at one of its regional branches. The attackers initially compromised the bank’s network five weeks prior to the theft, establishing persistent access. They leveraged this foothold to target the Automated Workstation Client (AWC), an interbank fund transfer system operated by Russia’s Central Bank, facilitating the fraudulent transfer of funds. The stolen amount—reported by Kommersant as $910,000—was distributed across 17 accounts at major Russian banks and swiftly withdrawn. The router’s outdated firmware provided the initial attack vector, enabling unauthorized access to internal systems.

Following the theft, investigators discovered the attackers maintained network access to enable future attacks, though the bank detected the compromise and engaged Moscow-based forensic firm Group-IB to investigate. Group-IB attributed the attack to MoneyTaker, a group linked to at least 20 prior incidents targeting financial institutions and law firms in Russia, the US, and the UK since their first documented activity in November 2017. The incident disrupted the bank’s operations and exposed vulnerabilities in its regional branch security infrastructure. No additional financial losses were confirmed, but the breach highlighted systemic risks associated with unpatched network devices. The bank did not publicly disclose remediation timelines or specific containment measures beyond involving external investigators.