Archive for the ‘Cyber attacks’ Category

DPRK Cyber attacks 2016

Friday, May 27th, 2016

UPDATE 1 (2016-5-26): DPRK Linked to attacks on Swift. According to the New York Times:

Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.

In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013. Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification.

On Thursday, the Symantec researchers said they had uncovered evidence linking an attack at a bank in the Philippines last October with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.

“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that identical code was used across all three attacks.

“We’ve never seen an attack where a nation-state has gone in and stolen money,” Mr. Chien added. “This is a first.”

The attacks have raised alarms in the global banking industry because the thieves gained access to Swift, a Brussels-based banking consortium that runs what is considered the world’s most secure payment messaging system. Swift’s system is used by 11,000 banks and companies to move money from one country to another — one reason that it is a tempting target for criminals.

Swift has warned publicly that the attacks are part of a broad coordinated assault on banks, though it has not assigned blame. It has also emphasized that it was the banks’ connection points to its network — and not the core Swift messaging network itself — that the attackers were able to breach. Also, American bankers have noted that the security lapses all occurred at banks in third-world countries, which may give some comfort to banking customers in the United States.

Security researchers and American government officials have tied thousands of attacks to nations in the past. They have linked the United States and Israel to an attack that destroyed Iranian centrifuges, and the Chinese military and contractors to attacks that stole military and trade secrets from thousands of foreign entities.

Continue reading the main story
RELATED COVERAGE

Hackers’ $81 Million Sneak Attack on World Banking APRIL 30, 2016

Details Emerge on Global Bank Heists by Hackers MAY 13, 2016

Once Again, Thieves Enter Swift Financial Network and Steal MAY 12, 2016
But the latest spate of attacks on banks in Bangladesh and Southeast Asia would be the first time, security researchers say, that a nation has used malicious code to steal purely for financial profit.

The idea that Pyongyang had turned to digital theft would not be surprising. North Korea’s economy has been ravaged by sanctions, food shortages and other deprivations. Pyongyang does not publish economic data, but estimates have put North Korea’s gross domestic product between $12 billion and $40 billion, tiny when compared with South Korea’s economic output of more than $1.4 trillion.

In the attack at Bangladesh’s central bank in February, the thieves tried to transfer $1 billion in funds from an account at the Federal Reserve Bank of New York. Fed officials became suspicious of the some of requested transfers and released only $81 million to accounts in the Philippines.

“If you presume it’s North Korea, $1 billion is almost 10 percent of their G.D.P.,” Mr. Chien said. “This is not small change for them.”

Symantec researchers said it was possible that the bank in the Philippines containing the North Korean code was also involved in the Bangladesh bank scheme and the attempted breach on the Vietnamese bank. The researchers would not identify the Philippines bank and did not say whether the thieves had been successful in transferring funds. Researchers were able to confirm only that the attackers had managed to breach the bank and install identical code strings on the bank’s computer systems — the same code that they discovered in Bangladesh, Vietnam and the two previous attacks at Sony in 2014 and South Korea in 2013.

Mr. Chien noted that the attackers not only used identical numbers but wrote the code in the same, unusual sequence across all three attacks.

Mr. Chien said the evidence pointed to all three attacks being the work of the “Lazarus Group,” a name his team gave to the attackers behind the Sony and South Korean attacks.

Officials have pointed to North Korea’s threat of “merciless countermeasures” against Sony if the studio released “The Interview,” a movie by Seth Rogen and Evan Goldberg that made fun of North Korea and includes a fictional assassination of its leader. F.B.I. analysts also note critical mistakes North Korean hackers made, such as logging into their attack servers from known North Korean Internet addresses and even logging into both their Facebook account and Sony’s servers from the same computers.

In the months since evidence of the attacks involving the Swift network started to emerge, investigators have been looking for commonalities at numerous other potential breaches. It remains unclear whether these breaches are connected to the ones in Bangladesh and Vietnam, but they too have occurred in or around Southeast Asia.

There is no evidence to date that the thieves have gone after large American or European banks, though new possible attacks are being reported weekly. Last week, evidence emerged that Banco del Austro, an Ecuadorean bank, was infiltrated by hackers who were also able to sneak onto the Swift network. The thieves transferred several million dollars to accounts around the world, according to a lawsuit the bank filed in federal court in the United States against Wells Fargo, which facilitated one of the transfers.

Researchers have yet to unearth any of the code used in the Ecuador attack, but banking analysts say it is probably no coincidence that these attacks are happening in the developing world, where security measures tend not to be as tight as they are in financial hubs like New York and London.

Swift has issued numerous warnings in recent weeks urging banks to step up their security protocols. Analysts worry that the breaches could have a chilling effect on global finance; larger banks may become reluctant or even refuse to transact with smaller banks in the developing world unless they can have assurances that their networks have not been compromised by thieves and malware.

At a conference on Tuesday in Brussels, Swift’s chief executive, Gottfried Leibbrandt, said the recent attacks could do far more damage than breaches on retailers and telephone companies, which he said suffer largely reputational and legal hits.

“Banks that are compromised like this can be put out of business,” Mr. Leibbrandt said.

North Korea has long been known for creative attempts to generate badly needed hard currency. In the last decade, United States government officials accused North Korea of counterfeiting $100 bills, which were known as “superdollars” or “supernotes” because the fakes were nearly flawless. The Federal Reserve began thwarting that effort by circulating a new $100 bill over the last three years that makes counterfeiting nearly impossible: The redesigned $100 is easier to authenticate and harder to replicate.

“North Korea is hurting for money,” said Herb Lin, the senior research scholar for cyberpolicy and security at Stanford University’s Center for International Security and Cooperation and a fellow at Stanford’s Hoover Institution. “They’ve been cut out of the financial system because of sanctions. They had been among the best counterfeiters in the world, and only recently have they been stymied in the counterfeiting of superdollars. If it’s true that we’ve cut them off from that, then it’s not at all surprising that they would turn to something else.”

Read the full story here:
North Korea Linked to Digital Attacks on Global Banks
New York Times
2016-5-26

ORIGINAL POST (2016-5-27): Swift hack linked to Sony hack. According to The Guardian:

Security researchers Symantec have found clues in the malware used to hack into international financial messaging network Swift, which suggest a link to the Sony Pictures hack in 2014.

At least three banks have reported financial attacks based on the Swift hack. In February, Bangladesh’s central bank lost $81m (£55m) after fraudulent messages were sent through the network instructing a transfer to an account in the Philippines. In May, a Vietnamese bank came forward to say that it had been targeted by the hackers as well, and had managed to stop a $1m transfer. And later that month, Reuters revealed that a third bank, Ecuador’s Banco del Austro, had also fallen prey.

At heart, all the hacks relied on social engineering as much as technical talent. Once the attackers gained fraudulent access to the Swift network, they simply messaged the banks’ banks, and asked for funds to be transferred – which, generally, they were. The Bangladesh case only came to light because a typo in one of the instructions alerted a worker.

But in order to gain access to the network, the attackers used a specific type of malware, dubbed Trojan.Banswift by Symantec.

The security research firm analysed the malware used in the Bangladesh attack, and found what it describes as “a distinct file wiping code”. The way the software deleted files was like little else the company had seen, but it had been seen in one other piece of malware, a specimen named Backdoor.Contopee, which had been used to hack into financial organisations in south-east Asia.

Programmers often have quirks that make it into their code, and they also reuse code between projects. Symantec says it believes “distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group.”

That means the hackers, who gained public notoriety with the Bangladesh hack, may have been attacking financial institutions for much longer than previously thought.

But it also links them to a wider group of hackers. The Backdoor.Contopee malware has previously been used by a group known as Lazarus, which has been attacking businesses and commercial operations across the US and South Korea for the last six years. And Lazarus, in turn, is “linked” to another piece of software, Backdoor.Destover, which was used in the 2014 hacking attack against Sony, which the FBI ended up attributing to the North Korean state.

The link is not conclusive, however. Hacking groups often share and sell code, and the Sony Pictures hack is several degrees removed from the Swift attacks.

What’s more, Lazarus was severely disrupted earlier this year, Symantec says. “The group was the target of a cross-industry initiative known as Operation Blockbuster earlier this year, which involved major security vendors sharing intelligence and resources in order to assist commercial and government organizations in protecting themselves against Lazarus.”

Swift itself has promised to improve its security following the hacks. According to Information Security magazine, the group’s chief executive offered up a new plan for change. Gottfried Leibbrandt said: “Banks can learn from one another about the modus operandi and put better preventative measures in place; entities like Swift can serve as the information sharing channel, and we can develop indicators of compromise to help those banks improve their detective capabilities.

“We are doing so,” he added, “But information sharing needs to get better, much better.”

Read the full story here:
Swift network bank thefts ‘linked’ to Sony Pictures hack
The Guardian
2016-5-27

Share

DPRK blamed for cyber attack on South Korean nuclear power plant

Tuesday, March 17th, 2015

UPDATE 1 (2015-3-26): The DPRK has denied the hacking allegation. According to Yonhap:

North Korea again denied its involvement in a series of data leaks at South Korea’s nuclear power operator and rebutted Seoul’s interim probe results that accused the communist regime of conducting the hacking attacks.

The North’s Central Internet Research Institute said that the investigation that linked Internet protocol addresses used in the attack to North Korea is groundless and was fabricated by Seoul, according to Pyongyang’s state media Korean Central News Agency.

The denial follows a March 17 announcement by a special investigation team that found the data leaks at the Korea Hydro and Nuclear Power Co. “believed to have been caused by an (unidentified) group of North Koreans hackers.”

In December, an unidentified hacker, claiming to be an activist against nuclear power, had posted data about nuclear power plants, including their blueprints, five times and threatened to destroy the facilities while demanding they be shut down.

Earlier this month, the hacker renewed its threats by posting more files on Twitter that included documents concerning the country’s indigenous advanced power reactor 1400, while demanding money in exchange for not handing over sensitive information to third countries.

The state-run KHNP operates 23 nuclear reactors in South Korea that provide nearly one-third of the country’s energy demand.

ORIGINAL POST (2015-3-17): According to the Wall Street Journal:

South Korea on Tuesday blamed North Korea for a December cyberattack on nuclear power-plant operator Korea Hydro & Nuclear Power Co., marking the first online incursion publicly attributed to Pyongyang since the hacking of Sony Pictures Entertainment.

South Korean investigators said state-owned Korea Hydro, which operates the country’s 23 nuclear reactors, and its business partners were targeted in multiple cyberattacks aimed at stealing internal data that included plant blueprints and employees’ personal information.

South Korea’s nuclear-plant management wasn’t compromised in the attacks and no critical data was disclosed, the investigators said. A series of “spear-phishing” emails aimed at stealing passwords and obtaining remote control access of computers were largely unsuccessful, they added.

A Korea Hydro spokeswoman declined to comment, saying the firm wasn’t participating in the investigation.

A Twitter account holder in December posted Internet links to Korea Hydro’s internal-data archives and issued various demands to prevent further leaks, the investigators said.

Investigators said they traced the intrusions back to Internet addresses registered by North Korea. The spear-phishing virus that investigators said was used in the attack, named “kimsuky,” was previously identified by cybersecurity experts as created in North Korea. The related tweets were posted through servers in Shenyang, in China’s northeast, and Vladivostok, Russia, they said.

Pyongyang’s state newspaper in late December denied involvement in the cyberattacks, calling such accusations a ploy to escalate inter-Korean tension.

Tuesday’s statement was the first time South Korea had publicly attributed the cyberattacks to North Korea.

Here is coverage in Yonhap.

Read the full stories here:
North Korea Blamed for Nuclear-Power Plant Hack
Wall Street Journal
Jeyup S. Kwaak
2015-3-17

Share

Cyber attack capabilities and speculation

Tuesday, June 5th, 2012

According to the Joong Ang Ilbo:

North Korea was caught attempting cyberattacks on Incheon International Airport using viruses planted in game programs, according to the Seoul Metropolitan Police Agency.

A 39-year-old South Korean game distributor was arrested on Sunday for involvement and charged with violating the National Security Law. The National Intelligence Service helped arrest him, police said.

According to the police, the South Korean man, identified by the surname Jo, traveled to Shenyang, northeastern China, starting in September 2009 and met agents of an alleged North Korean trading company. He allegedly asked them to develop game software to be used in the South.

The North Koreans were actually agents from the North’s Reconnaissance General Bureau, and Jo was aware of that, police said.

Jo purchased dozens of computer game software for tens of millions of won, which was a third the cost of the same kind of software in the South. The games were infected with malignant viruses, of which Jo knew, an official at the police agency said.

Jo sold the games to South Korean operators of online games. When people played the games, the viruses used their computers as zombies, through which the cyberattack was launched.

So-called “a distributed denial-of-service attack,” this cyberattack against Incheon International Airport occurred two or three times in March 2011, police said. The attack was fended off by the intelligence authorities in the South.

The police and intelligence authorities also suspect that the North’s Reconnaissance General Bureau is behind a technical glitch in the flight data processor that paralyzed air traffic control at Incheon International Airport for nearly an hour last Sept. 15. It’s not clear if Jo’s viruses were linked. The glitch disrupted the departures of 18 airplanes from the airport. Initially, the Ministry of Land, Transport and Maritime Affairs said it wasn’t linked to North Korea.

AFP reports some slightly different details:

Cho, who was detained on May 23, sold the programmes to South Korean game operators, according to police.

They said the malicious software would paralyse users’ computers and steal personal information. It was not immediately clear how many computers may have been infected.

Cho is also accused of allowing North Korean agents to use his server for distributing denial-of-service (DDoS) attacks on the South’s online systems.

He is alleged to have kept personal information on hundreds of thousands of people from major portals at his home.

Read the full stories here:
Incheon Airport cyberattack traced to Pyongyang
Joongang Ilbo
2012-6-5

S. Korean held for selling N. Korean malware
AFP
2012-6-4

Share