Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

More Evidence Of Link Between Bank Attacks And North Korean Group

Anomali says it has found five new pieces of malware tying the two attack groups together.

Attributing attacks in cyberspace with any certainty to a specific source can be incredibly hard to do given the myriad opportunities that are available to attackers for hiding or disguising the true source of a malicious campaign. But often, there’s plenty of circumstantial evidence to at least point investigators one way or the other.

That appears to be the case with the recent theft of tens of millions of dollars from banks worldwide over the SWIFT financial services messaging network. 

Security vendor Anomali Labs last Friday became the third vendor -- after BAE Systems and Symantec -- to identify a link between the malicious software used in the bank attacks and a North Korean hacking gang called the Lazarus group. The group is believed responsible for the November 2014 intrusion at Sony Pictures that resulted in the theft of a massive amount of highly sensitive documents.

In a blog post, Anomali principal threat researcher Aaron Shelmire said his company has discovered five unique new malware code samples used in the bank attacks, which were also used by the Lazarus group. “We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” Shelmire wrote.

Anomali decided to research the malicious code in the bank attacks after recent analysis by Symantec uncovered two subroutines that linked the malware to the Lazarus group.  In its analysis, Symantec had described the two malware code fragments used in the bank attacks, as unique and previously used only by the Lazarus group.

Security researchers at Anomali wanted to verify this claim themselves, and decided to compare the subroutines uncovered by Symantec against a very large repository of malware data. They fully expected to discover that the code was more commonly used than Symantec’s analysis had showed. Instead, the researchers ended up finding five more unique malware code fragments linking the bank attacks with code used previously by the Lazarus group.

“There is very strong evidence of shared code between the North Korean malware and the SWIFT malware,” Shelmire says. Anomali’s analysis initially took a contrarian view of Symantec’s work, but only ended up confirming their discovery, he says.

 “After seeing the Symantec blog post and details, the code segments Symantec referenced seemed too familiar,” Shelmire says. Also, actions Symantec references in its report such as randomly creating strings and securely deleting files are common tasks in software.

“Often times, the flags and values used in overwriting items are copied and pasted from example or open source code. Or other times, they are artifacts left behind by a compiler,” Shelmire says. Therefore, discovering clear evidence of a link between code used by the Lazarus group and the malware used in the bank attacks “was surprising and not what we expected to find,” he says.

But as is the case with most evidence related to cyberattacks, the data on hand is simply not sufficient to directly attribute the bank attacks to anyone yet. Instead, it is circumstantial at best. “For truly direct evidence, you would need a direct network connection from a known North Korean actors’ computer, forensic evidence gathered from a North Korean actors’ computer, or a direct money transfer to an account known to be used by North Korean actors,” Shelmire says.

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.
PUBLISHED: 2020-05-28
In Kaminari before 1.2.1, there is a vulnerability that would allow an attacker to inject arbitrary code into pages with pagination links. This has been fixed in 1.2.1.
PUBLISHED: 2020-05-28
Dell Dock Firmware Update Utilities for Dell Client Consumer and Commercial docking stations contain an Arbitrary File Overwrite vulnerability. The vulnerability is limited to the Dell Dock Firmware Update Utilities during the time window while being executed by an administrator. During this time wi...
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.