Hackers backed by North Korea may be linked to a group that has carried out a string of attacks on banks in south-east Asia, finds Symantec
The thieves who stole $81 million (£55.4m) from a bank in Bangladesh may also be behind an attack on a bank in the Philippines, and may be linked to the group that publicly released documents pilfered from Sony Pictures Entertainment in November 2014, computer security researchers Symantec have found.
In early February hackers attempted to steal $1bn from Bangladesh’s central bank by ordering fraudulent transfers using the international SWIFT network, but made mistakes that led to all but $81m of the transfers being discovered and blocked.
After the hack was made public in April, two other banks, Tien Phong Bank of Vietnam and Banco del Austro in Ecuador, said they had been involved in similar incidents.
The Vietnamese bank said it blocked an attempted transfer of more than $1m in the fourth quarter of last year in an incident that the SWIFT organisation said appeared to be linked to the group that carried out the Bangladesh raid.
It isn’t known whether the Ecuador burglary, which involved the loss of $12m using fraudulent SWIFT transactions, was linked to the incidents in Asia, according to Symantec.
The firm said, however, that an attack in October 2015 on a bank in the Philippines used malware that was also used in the incidents in Bangladesh and Vietnam.
A piece of malware called Backdoor.Contopee, used in the attack in the Philippines as well as incidents involving other financial institutions in south-east Asia, includes distinctive code that is also found in two pieces of malware involved in the Bangladesh hack, Trojan.Banswift and msoutc.exe, Symantec said.
Range of targets
“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group,” the company said in an advisory.
What’s more, Backdoor.Contopee was previously used by hackers associated with a group known as “Lazarus” that has carried out a string of attacks in the US and South Korea over the past seven years, including the breach of Sony Pictures Entertainment in 2014.
The link suggests that Lazarus, which the FBI concluded was backed by the North Korean government, may be connected with or identical to the hackers carrying out the recent bank thefts, Symantec said.
“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region,” the company stated. “While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant.”
State-backed hackers turn to ransomware
Security experts recently warned that a string of profitable attacks involving the use of ransomware, which locks the files on a user or an organisation’s computer systems and then demands payment to decode them, may also have been carried out by former political hackers.
In March several computer security firms said they had identified about half a dozen ransomware incidents in the first three months of this year in which the advanced techniques and attack tools used bore a close similarity to those previously employed by a group called Codoso, thought to have been working on behalf of the Chinese state.
The security firms noted that China agreed with the US late last year to reduce its support for economic espionage, and speculated that hackers once employed by the state are turning to ransomware attacks as a new source of funds.
Are you a security pro? Try our quiz!