Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

More Evidence Of Link Between Bank Attacks And North Korean Group

Anomali says it has found five new pieces of malware tying the two attack groups together.

Attributing attacks in cyberspace with any certainty to a specific source can be incredibly hard to do given the myriad opportunities that are available to attackers for hiding or disguising the true source of a malicious campaign. But often, there’s plenty of circumstantial evidence to at least point investigators one way or the other.

That appears to be the case with the recent theft of tens of millions of dollars from banks worldwide over the SWIFT financial services messaging network. 

Security vendor Anomali Labs last Friday became the third vendor -- after BAE Systems and Symantec -- to identify a link between the malicious software used in the bank attacks and a North Korean hacking gang called the Lazarus group. The group is believed responsible for the November 2014 intrusion at Sony Pictures that resulted in the theft of a massive amount of highly sensitive documents.

In a blog post, Anomali principal threat researcher Aaron Shelmire said his company has discovered five unique new malware code samples used in the bank attacks, which were also used by the Lazarus group. “We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” Shelmire wrote.

Anomali decided to research the malicious code in the bank attacks after recent analysis by Symantec uncovered two subroutines that linked the malware to the Lazarus group.  In its analysis, Symantec had described the two malware code fragments used in the bank attacks, as unique and previously used only by the Lazarus group.

Security researchers at Anomali wanted to verify this claim themselves, and decided to compare the subroutines uncovered by Symantec against a very large repository of malware data. They fully expected to discover that the code was more commonly used than Symantec’s analysis had showed. Instead, the researchers ended up finding five more unique malware code fragments linking the bank attacks with code used previously by the Lazarus group.

“There is very strong evidence of shared code between the North Korean malware and the SWIFT malware,” Shelmire says. Anomali’s analysis initially took a contrarian view of Symantec’s work, but only ended up confirming their discovery, he says.

 “After seeing the Symantec blog post and details, the code segments Symantec referenced seemed too familiar,” Shelmire says. Also, actions Symantec references in its report such as randomly creating strings and securely deleting files are common tasks in software.

“Often times, the flags and values used in overwriting items are copied and pasted from example or open source code. Or other times, they are artifacts left behind by a compiler,” Shelmire says. Therefore, discovering clear evidence of a link between code used by the Lazarus group and the malware used in the bank attacks “was surprising and not what we expected to find,” he says.

But as is the case with most evidence related to cyberattacks, the data on hand is simply not sufficient to directly attribute the bank attacks to anyone yet. Instead, it is circumstantial at best. “For truly direct evidence, you would need a direct network connection from a known North Korean actors’ computer, forensic evidence gathered from a North Korean actors’ computer, or a direct money transfer to an account known to be used by North Korean actors,” Shelmire says.

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.