Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.
In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013. Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification.
On Thursday, the Symantec researchers said they had uncovered evidence linking an attack at a bank in the Philippines last October with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.
“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that identical code was used across all three attacks.
“We’ve never seen an attack where a nation-state has gone in and stolen money,” Mr. Chien added. “This is a first.”
The attacks have raised alarms in the global banking industry because the thieves gained access to Swift, a Brussels-based banking consortium that runs what is considered the world’s most secure payment messaging system. Swift’s system is used by 11,000 banks and companies to move money from one country to another — one reason that it is a tempting target for criminals.
Swift has warned publicly that the attacks are part of a broad coordinated assault on banks, though it has not assigned blame. It has also emphasized that it was the banks’ connection points to its network — and not the core Swift messaging network itself — that the attackers were able to breach. Also, American bankers have noted that the security lapses all occurred at banks in third-world countries, which may give some comfort to banking customers in the United States.
Security researchers and American government officials have tied thousands of attacks to nations in the past. They have linked the United States and Israel to an attack that destroyed Iranian centrifuges, and the Chinese military and contractors to attacks that stole military and trade secrets from thousands of foreign entities.
Continue reading the main story
Hackers’ $81 Million Sneak Attack on World Banking APRIL 30, 2016
Details Emerge on Global Bank Heists by Hackers MAY 13, 2016
Once Again, Thieves Enter Swift Financial Network and Steal MAY 12, 2016
But the latest spate of attacks on banks in Bangladesh and Southeast Asia would be the first time, security researchers say, that a nation has used malicious code to steal purely for financial profit.
The idea that Pyongyang had turned to digital theft would not be surprising. North Korea’s economy has been ravaged by sanctions, food shortages and other deprivations. Pyongyang does not publish economic data, but estimates have put North Korea’s gross domestic product between $12 billion and $40 billion, tiny when compared with South Korea’s economic output of more than $1.4 trillion.
In the attack at Bangladesh’s central bank in February, the thieves tried to transfer $1 billion in funds from an account at the Federal Reserve Bank of New York. Fed officials became suspicious of the some of requested transfers and released only $81 million to accounts in the Philippines.
“If you presume it’s North Korea, $1 billion is almost 10 percent of their G.D.P.,” Mr. Chien said. “This is not small change for them.”
Symantec researchers said it was possible that the bank in the Philippines containing the North Korean code was also involved in the Bangladesh bank scheme and the attempted breach on the Vietnamese bank. The researchers would not identify the Philippines bank and did not say whether the thieves had been successful in transferring funds. Researchers were able to confirm only that the attackers had managed to breach the bank and install identical code strings on the bank’s computer systems — the same code that they discovered in Bangladesh, Vietnam and the two previous attacks at Sony in 2014 and South Korea in 2013.
Mr. Chien noted that the attackers not only used identical numbers but wrote the code in the same, unusual sequence across all three attacks.
Mr. Chien said the evidence pointed to all three attacks being the work of the “Lazarus Group,” a name his team gave to the attackers behind the Sony and South Korean attacks.
Officials have pointed to North Korea’s threat of “merciless countermeasures” against Sony if the studio released “The Interview,” a movie by Seth Rogen and Evan Goldberg that made fun of North Korea and includes a fictional assassination of its leader. F.B.I. analysts also note critical mistakes North Korean hackers made, such as logging into their attack servers from known North Korean Internet addresses and even logging into both their Facebook account and Sony’s servers from the same computers.
In the months since evidence of the attacks involving the Swift network started to emerge, investigators have been looking for commonalities at numerous other potential breaches. It remains unclear whether these breaches are connected to the ones in Bangladesh and Vietnam, but they too have occurred in or around Southeast Asia.
There is no evidence to date that the thieves have gone after large American or European banks, though new possible attacks are being reported weekly. Last week, evidence emerged that Banco del Austro, an Ecuadorean bank, was infiltrated by hackers who were also able to sneak onto the Swift network. The thieves transferred several million dollars to accounts around the world, according to a lawsuit the bank filed in federal court in the United States against Wells Fargo, which facilitated one of the transfers.
Researchers have yet to unearth any of the code used in the Ecuador attack, but banking analysts say it is probably no coincidence that these attacks are happening in the developing world, where security measures tend not to be as tight as they are in financial hubs like New York and London.
Swift has issued numerous warnings in recent weeks urging banks to step up their security protocols. Analysts worry that the breaches could have a chilling effect on global finance; larger banks may become reluctant or even refuse to transact with smaller banks in the developing world unless they can have assurances that their networks have not been compromised by thieves and malware.
At a conference on Tuesday in Brussels, Swift’s chief executive, Gottfried Leibbrandt, said the recent attacks could do far more damage than breaches on retailers and telephone companies, which he said suffer largely reputational and legal hits.
“Banks that are compromised like this can be put out of business,” Mr. Leibbrandt said.
North Korea has long been known for creative attempts to generate badly needed hard currency. In the last decade, United States government officials accused North Korea of counterfeiting $100 bills, which were known as “superdollars” or “supernotes” because the fakes were nearly flawless. The Federal Reserve began thwarting that effort by circulating a new $100 bill over the last three years that makes counterfeiting nearly impossible: The redesigned $100 is easier to authenticate and harder to replicate.
“North Korea is hurting for money,” said Herb Lin, the senior research scholar for cyberpolicy and security at Stanford University’s Center for International Security and Cooperation and a fellow at Stanford’s Hoover Institution. “They’ve been cut out of the financial system because of sanctions. They had been among the best counterfeiters in the world, and only recently have they been stymied in the counterfeiting of superdollars. If it’s true that we’ve cut them off from that, then it’s not at all surprising that they would turn to something else.”
Security researchers Symantec have found clues in the malware used to hack into international financial messaging network Swift, which suggest a link to the Sony Pictures hack in 2014.
At least three banks have reported financial attacks based on the Swift hack. In February, Bangladesh’s central bank lost $81m (£55m) after fraudulent messages were sent through the network instructing a transfer to an account in the Philippines. In May, a Vietnamese bank came forward to say that it had been targeted by the hackers as well, and had managed to stop a $1m transfer. And later that month, Reuters revealed that a third bank, Ecuador’s Banco del Austro, had also fallen prey.
At heart, all the hacks relied on social engineering as much as technical talent. Once the attackers gained fraudulent access to the Swift network, they simply messaged the banks’ banks, and asked for funds to be transferred – which, generally, they were. The Bangladesh case only came to light because a typo in one of the instructions alerted a worker.
But in order to gain access to the network, the attackers used a specific type of malware, dubbed Trojan.Banswift by Symantec.
The security research firm analysed the malware used in the Bangladesh attack, and found what it describes as “a distinct file wiping code”. The way the software deleted files was like little else the company had seen, but it had been seen in one other piece of malware, a specimen named Backdoor.Contopee, which had been used to hack into financial organisations in south-east Asia.
Programmers often have quirks that make it into their code, and they also reuse code between projects. Symantec says it believes “distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group.”
That means the hackers, who gained public notoriety with the Bangladesh hack, may have been attacking financial institutions for much longer than previously thought.
But it also links them to a wider group of hackers. The Backdoor.Contopee malware has previously been used by a group known as Lazarus, which has been attacking businesses and commercial operations across the US and South Korea for the last six years. And Lazarus, in turn, is “linked” to another piece of software, Backdoor.Destover, which was used in the 2014 hacking attack against Sony, which the FBI ended up attributing to the North Korean state.
The link is not conclusive, however. Hacking groups often share and sell code, and the Sony Pictures hack is several degrees removed from the Swift attacks.
What’s more, Lazarus was severely disrupted earlier this year, Symantec says. “The group was the target of a cross-industry initiative known as Operation Blockbuster earlier this year, which involved major security vendors sharing intelligence and resources in order to assist commercial and government organizations in protecting themselves against Lazarus.”
Swift itself has promised to improve its security following the hacks. According to Information Security magazine, the group’s chief executive offered up a new plan for change. Gottfried Leibbrandt said: “Banks can learn from one another about the modus operandi and put better preventative measures in place; entities like Swift can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities.
“We are doing so,” he added, “But information sharing needs to get better, much better.”