Attributing attacks in cyberspace with any certainty to a specific source can be incredibly hard to do given the myriad opportunities that are available to attackers for hiding or disguising the true source of a malicious campaign. But often, there’s plenty of circumstantial evidence to at least point investigators one way or the other.
That appears to be the case with the recent theft of tens of millions of dollars from banks worldwide over the SWIFT financial services messaging network.
Security vendor Anomali Labs last Friday became the third vendor -- after BAE Systems and Symantec -- to identify a link between the malicious software used in the bank attacks and a North Korean hacking gang called the Lazarus group. The group is believed responsible for the November 2014 intrusion at Sony Pictures that resulted in the theft of a massive amount of highly sensitive documents.
In a blog post, Anomali principal threat researcher Aaron Shelmire said his company has discovered five unique new malware code samples used in the bank attacks, which were also used by the Lazarus group. “We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” Shelmire wrote.
Anomali decided to research the malicious code in the bank attacks after recent analysis by Symantec uncovered two subroutines that linked the malware to the Lazarus group. In its analysis, Symantec had described the two malware code fragments used in the bank attacks, as unique and previously used only by the Lazarus group.
Security researchers at Anomali wanted to verify this claim themselves, and decided to compare the subroutines uncovered by Symantec against a very large repository of malware data. They fully expected to discover that the code was more commonly used than Symantec’s analysis had showed. Instead, the researchers ended up finding five more unique malware code fragments linking the bank attacks with code used previously by the Lazarus group.
“There is very strong evidence of shared code between the North Korean malware and the SWIFT malware,” Shelmire says. Anomali’s analysis initially took a contrarian view of Symantec’s work, but only ended up confirming their discovery, he says.
“After seeing the Symantec blog post and details, the code segments Symantec referenced seemed too familiar,” Shelmire says. Also, actions Symantec references in its report such as randomly creating strings and securely deleting files are common tasks in software.
“Often times, the flags and values used in overwriting items are copied and pasted from example or open source code. Or other times, they are artifacts left behind by a compiler,” Shelmire says. Therefore, discovering clear evidence of a link between code used by the Lazarus group and the malware used in the bank attacks “was surprising and not what we expected to find,” he says.
But as is the case with most evidence related to cyberattacks, the data on hand is simply not sufficient to directly attribute the bank attacks to anyone yet. Instead, it is circumstantial at best. “For truly direct evidence, you would need a direct network connection from a known North Korean actors’ computer, forensic evidence gathered from a North Korean actors’ computer, or a direct money transfer to an account known to be used by North Korean actors,” Shelmire says.
- SWIFT Confirms Cyber Heist At Second Bank; Researchers Tie Malware Code to Sony Hack
- SWIFT Proposes New Measures For Bolstering Its Security
- Sony Hackers Behind Previous Cyberattacks Tied To North Korea
- FBI Report: Deconstructing The Wide Scope Of Internet Crime