Taiwan Bank Heist Linked to North Korean Hackers
A recent cyber-heist that targeted a bank in Taiwan has been linked by security researchers to an infamous threat group believed to be operating out of North Korea.
Hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank. The money was transferred to several countries, but bank officials claimed they had managed to recover most of it. Two individuals were arrested earlier this month in Sri Lanka for their role in the operation.
Researchers at BAE Systems have identified some of the tools used in the attack and found connections to the North Korean threat actor known as Lazarus. This group is also believed to be behind the 2014 attack on Sony Pictures and campaigns targeting several banks, including Bangladesh’s central bank.
The attack on the Bangladesh bank, which resulted in the theft of $81 million, also involved the SWIFT system. Similar methods were also used to target several other banks, but SWIFT said some of the operations failed due to the new security measures implemented by the company.
While it’s still unclear how attackers gained access to the systems of Far Eastern International Bank, an analysis of various malware samples apparently involved in the attack suggests that the hackers may have used a piece of ransomware as a distraction.
The ransomware involved in the attack is known as Hermes. According to Bleeping Computer, the threat surfaced in February and its latest version has an encryption mechanism that makes it impossible to recover files without paying the ransom.
However, researchers at McAfee discovered that the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, which led them to believe it may have been only a distraction.
“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”
BAE Systems has seen samples that drop a ransom note in each encrypted folder, but even they believe Hermes may have been used to distract the bank’s security team.
Another malware sample linked by BAE Systems to this attack is a loader named Bitsran, which spreads a malicious payload on the targeted network. This threat contained what appeared to be hardcoded credentials for Far Eastern International’s network, which suggests the threat group may have conducted previous reconnaissance.
Some pieces of malware discovered by BAE Systems are known to have been used by the Lazarus group, including in attacks aimed at financial organizations in Poland and Mexico. The malware includes commands and other messages written in Russia, which experts believe is likely a false flag designed to throw off investigators.
It’s worth noting that the Hermes ransomware samples checked the infected machine’s language settings and stopped running if Russian, Ukrainian or Belarusian was detected. This is common for malware created by Russian and Ukrainian hackers who often avoid targeting their own country’s citizens. However, this could also be a false flag.
Another piece of evidence linking the Taiwan bank attacks to Lazarus is the fact that money was transferred to accounts in Sri Lanka and Cambodia, similar to other operations attributed to the group.
Some experts believe that these bank heists and the WannaCry attack, which has also been linked by some to Lazarus, are campaigns launched by North Korea for financial gain. However, many of these operations don’t appear to have been very successful on this front.
“Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered,” BAE Systems researchers explained.
“The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding,” they added.
photo
*** Related reading: The Lazarus (aka DarkSeoul group) is allegedly controlled by Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency. Bureau 121 is responsible for conducting military cyber campaigns.
*** By the way, some of the North Korean hackers not only operate in China but many of those hackers are from India….
In the first week of October, India’s Ministry of External Affairs issued a strongly-worded statement condemning North Korea for conducting a powerful nuclear test. Few weeks down the line, a stunning report from the New York Times claims that India serves as a base for North Korea’s cyber warfare.
Citing a report by the Recorded Future, the American publication said nearly a fifth of the Pyongang’s attacks originate from India.
The report claims that most of North Korean cyber operations are carried out from foreign countries like India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. While in some cases, the North Korean hackers route their attacks through their computers from abroad, in cases like that in India, hackers are physically stationed to carry out attacks.
The cyber mission as envisaged by Kim Jong-il in the 1990s was expanded by his dictator son Kim Jong-Un after he took power in 2011.
On of the most successful cyber attacks carried out by North Korea dates back to 2014 on Sony pictures to prevent them from releasing a comedy film that was based on the assassination of Kim Jong Un.
Last May, a widespread global ransomware attack caused panic and briefly stalled the Britain’s National Health Services.
The digital bank heists in Philippines in 2015 and in Vietnam in the same year also earned them some hard cash from cyber attacks.
The report by Recorded Future also indicates that India, despite serving as a base for North Korea’s cyberwar, also remains at a potential threat from similar attacks. While the world lives under the fear of North Korea emerging as a nuclear superpower, the country is silently building a strong brigade of hackers.
