North Korea, allegedly behind the Sony Pictures cyberattack and more, could be behind a series of bank hacks across the globe resulting in tens of millions of lost dollars. Researchers with Symantec cite a recent trio of attacks that involved rare code seen in both the Sony cyberattack and earlier attacks against companies — including banks — in South Korea and the US. Assuming North Korea is behind the attacks, it would be a worrisome and exceedingly rare instance in which a nation-state is hacking global banks to steal money.
Some of these banks have been especially hard hit. Bangladesh’s central bank, for example, saw hackers steal a massive $81 million. The cybersecurity company Mandiant, which is working with Bangladesh’s bank to investigate the theft, recently told Reuters the responsible hackers are also behind bank thefts throughout SE Asia.
Joining that report is a blog post from Symantec in which it says it has ‘found evidence’ linking that $81 million theft to a different attempt at stealing more than $1 million from Vietnam’s Tien Phong Bank. The researchers go into details about their own analysis, pointing toward the SWIFT payments network and the series of fraudulent transactions being used to steal money from banks. These fraudulent SWIFT transactions also led to Ecuador’s Banco del Austro losing $12 million.
“We’ve never seen an attack where a nation-state has gone in and stolen money.”
Researchers with Symantec say they’ve found three varieties of malware that have been used in SE Asia bank attacks: Backdoor.Contopee, Backdoor.Fimlis, and Backdoor.Fimlis.B. Some code was shared with Trojan.Banswift, which was used in the attack against the Bangladesh bank, as well. Within in that trojan, researchers found what they say is ‘a distinct file wiping code.’
When looking for other malware with the same control bytes combination, the team was taken back to an early version of the aforementioned malware Backdoor.Contopee, which is tied back to the Bangladesh attack. “Symantec believes … these tools can be attributed to the same group,” the company said.
Backdoor.Contopee, says Symantec, was formerly used by hackers who themselves are “associated” with Lazarus, a collective behind cyberattacks that primarily focus on South Korea and the United States. Lazarus, then, is linked back to Backdoor.Destover, the malware used against Sony Pictures ahead of The Interview’s theatrical release (a movie that mocks the North Korean dictator while simultaneously showing citizens overthrowing the government, in case you’ve forgotten). And, as Symantec points out, the FBI’s investigation lead to them blaming North Korea as the source of the Sony attack.
Speaking to the New York Times, Symantec researcher Eric Chien said: “If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea. We’ve never seen an attack where a nation-state has gone in and stolen money.”
In light of its research, Symantec has advised that “banks and other financial institutions should remain vigilant.” The SWIFT payment system, it should be noted, is used by more than 11,000 organizations and banks around the world.