Symantec Security Response has learned of another Lazarus SWIFT bank hacking attack. This time the victim is a bank in the Philippines. Previous banks attacked include Banco del Austro in Ecuador, the Bangladeshi Central Bank, and Tien Phong Bank in Vietnam. The first discovery of the Lazarus group attacks occurred in December 2015.
Analysis of the code used in the attack on the Filipino bank reveals similarities to code found in the three previous known attacks. Evidence shows that this attack began around October 2015. The Bangladeshi attack led to the withdrawal of over $100 million.
Trojan.Banswift, discovered on April 25, 2016, shows similarities to previous known Lazarus code, including the Backdoor.Contopee used in the attack in Bangladesh. The code exhibits unique file-delete protocols to securely wipe files from the system being attacked. This code is linked to the previous attacks on SWIFT banks as well as to previous entertainment company hacks, including the well-known Sony hack.
It is unknown how the malware infected the computers of the Filipino bank, however once the bank system was infected, the hackers used the SWIFT messaging system to send fraudulent money transfer requests that were fulfilled without question. In most of the bank hacking attacks, relatively small amounts were transferred, with $12 million stolen in the Ecuador attack held in accounts with Wells Fargo, and just $1 million unsuccessfully attempted to be stolen from the Vietnamese Tien Phong Bank. The Bangladeshi bank attack holds as the most funds stolen from accounts at the New York Federal Reserve Bank.
These connections have led to claims by the security company funded Operation Blockbuster that the Lazarus group is backed by the North Korean government. This failure to innovate methods of attack have allowed security firms to pinpoint the source of attack, creating possibilities for implementation heightened security measures for other banks. However, the anonymity of the group does leave the possibility open for future bank hacking attacks, with smaller banks particularly vulnerable. As well, copy-cat hackers could use these methods for a less high-value bank hacking attack that may go unnoticed in the short-term.