ST. MAARTEN–New details discovered in the investigation into the string of attacks on banks around the world using the SWIFT network show have linked the intrusions to attackers based in North Korea.
Separate research conducted by experts at SWIFT, Kaspersky Lab, and BAE Systems uncovered a trail of clues that, taken together, point to North Korean attackers. Soon after the attack on the Bank of Bangladesh last year–which netted the criminals $81 million–security experts said the operation likely was conducted by a group known as Lazarus. The group is infamous in the cyber espionage world and is believed to be responsible for a number of damaging attacks against manufacturing companies, banks, and other organizations around the world. In a talk at the Kaspersky Security Analyst Summit here Monday, the researchers said that a mistake by the attackers allowed them to follow the trail and connect the operation to infrastructure in North Korea.
One of the machines that the Lazarus group compromised during another attack was used as a command and control server, and shortly after it was set up, the machine connected to an IP address in North Korea for a short time. The attackers also failed to remove log files from the compromised server, giving the researchers visibility into the operation. The Lazarus group has been active for several years and the researchers said they believe the attack on the Bank of Bangladesh was the work of a sub-group of Lazarus they identified as Bluenoroff.
The group uses a number of different types of custom malware and has highly evolved techniques. For example, the attack on the Bank of Bangladesh involved the theft of a binary of the SWIFT system software, which the attackers then disassembled and analyzed. They then added a tiny, one-bit patch that prevented a key integrity check in the software from completing. They then reintroduced the patched software to the system and, once inside the compromised bank, the attackers had the ability to modify and delete SWIFT messages, which helped hide their tracks. Banks use the SWIFT system to exchange messages about transfers and other transactions, and the attacks by the Lazarus group allowed them to manipulate those messages to transfer money through intermediary institutions and ultimately withdraw it.
The Lazarus group has continued to run operations against other banks in the months since the bank of Bangladesh attack, but they have been unsuccessful, thanks to the insights researchers gained in their investigation.
“In all of these attacks we’ve seen since the Bank of Bangladesh, they were unsuccessful. But when attackers are unsuccessful, they don’t just stop, they evolve,” said Vitaly Kamluk, head of the Global Research and Analysis Team’s Asia Pacific group at Kaspersky Lab. “They’re now using watering hole attacks to target banks around the world.”
The Lazarus attackers also are believed to be responsible for a number of other high-profile attacks, including the massive compromise of Sony Pictures Entertainment in 2014. Kamluk said there’s no reason to believe the group will stop any time soon.