Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

More Evidence Of Link Between Bank Attacks And North Korean Group

Anomali says it has found five new pieces of malware tying the two attack groups together.

Attributing attacks in cyberspace with any certainty to a specific source can be incredibly hard to do given the myriad opportunities that are available to attackers for hiding or disguising the true source of a malicious campaign. But often, there’s plenty of circumstantial evidence to at least point investigators one way or the other.

That appears to be the case with the recent theft of tens of millions of dollars from banks worldwide over the SWIFT financial services messaging network. 

Security vendor Anomali Labs last Friday became the third vendor -- after BAE Systems and Symantec -- to identify a link between the malicious software used in the bank attacks and a North Korean hacking gang called the Lazarus group. The group is believed responsible for the November 2014 intrusion at Sony Pictures that resulted in the theft of a massive amount of highly sensitive documents.

In a blog post, Anomali principal threat researcher Aaron Shelmire said his company has discovered five unique new malware code samples used in the bank attacks, which were also used by the Lazarus group. “We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” Shelmire wrote.

Anomali decided to research the malicious code in the bank attacks after recent analysis by Symantec uncovered two subroutines that linked the malware to the Lazarus group.  In its analysis, Symantec had described the two malware code fragments used in the bank attacks, as unique and previously used only by the Lazarus group.

Security researchers at Anomali wanted to verify this claim themselves, and decided to compare the subroutines uncovered by Symantec against a very large repository of malware data. They fully expected to discover that the code was more commonly used than Symantec’s analysis had showed. Instead, the researchers ended up finding five more unique malware code fragments linking the bank attacks with code used previously by the Lazarus group.

“There is very strong evidence of shared code between the North Korean malware and the SWIFT malware,” Shelmire says. Anomali’s analysis initially took a contrarian view of Symantec’s work, but only ended up confirming their discovery, he says.

 “After seeing the Symantec blog post and details, the code segments Symantec referenced seemed too familiar,” Shelmire says. Also, actions Symantec references in its report such as randomly creating strings and securely deleting files are common tasks in software.

“Often times, the flags and values used in overwriting items are copied and pasted from example or open source code. Or other times, they are artifacts left behind by a compiler,” Shelmire says. Therefore, discovering clear evidence of a link between code used by the Lazarus group and the malware used in the bank attacks “was surprising and not what we expected to find,” he says.

But as is the case with most evidence related to cyberattacks, the data on hand is simply not sufficient to directly attribute the bank attacks to anyone yet. Instead, it is circumstantial at best. “For truly direct evidence, you would need a direct network connection from a known North Korean actors’ computer, forensic evidence gathered from a North Korean actors’ computer, or a direct money transfer to an account known to be used by North Korean actors,” Shelmire says.

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.