Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM
Connect Directly

More Evidence Of Link Between Bank Attacks And North Korean Group

Anomali says it has found five new pieces of malware tying the two attack groups together.

Attributing attacks in cyberspace with any certainty to a specific source can be incredibly hard to do given the myriad opportunities that are available to attackers for hiding or disguising the true source of a malicious campaign. But often, there’s plenty of circumstantial evidence to at least point investigators one way or the other.

That appears to be the case with the recent theft of tens of millions of dollars from banks worldwide over the SWIFT financial services messaging network. 

Security vendor Anomali Labs last Friday became the third vendor -- after BAE Systems and Symantec -- to identify a link between the malicious software used in the bank attacks and a North Korean hacking gang called the Lazarus group. The group is believed responsible for the November 2014 intrusion at Sony Pictures that resulted in the theft of a massive amount of highly sensitive documents.

In a blog post, Anomali principal threat researcher Aaron Shelmire said his company has discovered five unique new malware code samples used in the bank attacks, which were also used by the Lazarus group. “We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” Shelmire wrote.

Anomali decided to research the malicious code in the bank attacks after recent analysis by Symantec uncovered two subroutines that linked the malware to the Lazarus group.  In its analysis, Symantec had described the two malware code fragments used in the bank attacks, as unique and previously used only by the Lazarus group.

Security researchers at Anomali wanted to verify this claim themselves, and decided to compare the subroutines uncovered by Symantec against a very large repository of malware data. They fully expected to discover that the code was more commonly used than Symantec’s analysis had showed. Instead, the researchers ended up finding five more unique malware code fragments linking the bank attacks with code used previously by the Lazarus group.

“There is very strong evidence of shared code between the North Korean malware and the SWIFT malware,” Shelmire says. Anomali’s analysis initially took a contrarian view of Symantec’s work, but only ended up confirming their discovery, he says.

 “After seeing the Symantec blog post and details, the code segments Symantec referenced seemed too familiar,” Shelmire says. Also, actions Symantec references in its report such as randomly creating strings and securely deleting files are common tasks in software.

“Often times, the flags and values used in overwriting items are copied and pasted from example or open source code. Or other times, they are artifacts left behind by a compiler,” Shelmire says. Therefore, discovering clear evidence of a link between code used by the Lazarus group and the malware used in the bank attacks “was surprising and not what we expected to find,” he says.

But as is the case with most evidence related to cyberattacks, the data on hand is simply not sufficient to directly attribute the bank attacks to anyone yet. Instead, it is circumstantial at best. “For truly direct evidence, you would need a direct network connection from a known North Korean actors’ computer, forensic evidence gathered from a North Korean actors’ computer, or a direct money transfer to an account known to be used by North Korean actors,” Shelmire says.

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.