It’s probably the same hack as this http://forum.mikrotik.com/t/device-got-hacked-1-min-after-connected-to-internet/178933/1 Multiple people from my country recently also reported exactly the same on a local forum discussing MikroTik topics.
The attackers (probably bots scanning RouterOS routers not protected by firewall) add a new user group with reduced rights, create a new user System, and move the admin user to the new group.