An organization’s domain name may be its most important asset, and losing control over it affects more than its website. For a large Brazilian bank, a domain hijacking operation last fall resulted in attackers stealing payment card data, taking over customer accounts, and infecting customers with malware.

While the actual bank heist began on Oct. 22, 2016, at around 1 p.m., the preparations for the attack were underway at least five months in advance, said Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev at last week’s Security Analyst Summit. The sophisticated cybercrime group gained access to the bank’s domain registrar and modified the Domain Name System (DNS) records for the bank’s all 36 online properties.

DNS translates human-friendly domain names to the IP address of the servers hosting the website or the application. By changing the DNS record, the attacker can reroute all users to some other destination than the actual server even though the user is using the correct web address. In this massive bank fraud operation, the group sent the bank’s customers to near-perfect copies of the bank’s sites hosted on Google Cloud Platform.

The researchers originally thought the attack was simply another site-hijacking-and-phishing operation, but quickly realized the attackers were interested in more than harvesting login credentials and downloading malware: They had taken over the bank’s entire internet presence.