African bank foils suspected North Korean cyber attack

An African bank is among the financial institutions to be targeted by North Korea’s multi-billion dollar cyber theft campaign to support its weapons programmes

An unnamed African financial institution is believed to have been on North Korea’s hit list after Barac, a London-based cyber security startup, identified and foiled an attempted cyber heist.

North Korea is reported to have stolen an estimated $2bn for its weapons programmes through cyber attacks targeting banks and cryptocurrency exchanges.

According to a recent report by Finnish security firm F-Secure, North Korea is having a global influence as the only nation state believed to be responsible for acts of direct financial theft because their tactics, techniques and procedures (TTPs) have spread to other threat actors.

The allegation that North Korea is using “widespread and increasingly sophisticated” cyber attacks to raise funds for “weapons of mass destruction” and enhance its nuclear and missile programmes was made in a confidential UN report by a team of independent experts seen by Reuters.

According to the UN report, North Korea is under investigation for “at least 35 reported instances” of attacking financial institutions in 17 countries.

The attack on the unnamed African financial institution in May 2019 was thwarted when Barac identified suspicious, recurring patterns in the metadata of a small proportion of the encrypted traffic leaving the bank’s network, the security firm said.

The attackers had infiltrated the bank’s infrastructure and begun to make a small number of low-value transactions to other banks located in Bulgaria.

Read more about behaviour analytics

Elements of the attack were encrypted in an attempt to evade detection, and the encrypted certificates used were signed in North Korea, the security firm said.

On inspection, the suspicious traffic was found to be destined for the same domain name system (DNS) in Bulgaria, and using the same encryption algorithm. Each session was also open for exactly the same duration and contained unusually high volumes of data.

The suspicious traffic was isolated in a sandbox and decrypted to be identified as command and control (C&C) traffic between malware, which had already compromised the bank’s network, and a Bulgarian-based server.

The bank then undertook a full security audit of its infrastructure to discover that malware had infected a number of endpoints at its headquarters, and that a small number of identical, low-value transactions had been made to other banks – again, located in Bulgaria – via the Swift Payments infrastructure.

These small transactions are believed to have been made to test the exfiltration mechanism of the attack ahead of an attempt to extract larger amounts at some future date, the security firm said.

Encrypted traffic flows

Further investigations uncovered similar encrypted C&C traffic hidden inside encrypted traffic flows leaving the bank’s operations in one of its Southern African subsidiaries.

“This was an extremely sophisticated, multi-faceted, and diligently-planned attack on a high-value target, which contained some very clear indications of North Korean involvement,” said Omar Yaacoubi, founder and CEO of Barac.

“The hackers were using encryption is a particularly clever way. Knowing the bank would, quite rightly, decrypt all of the data leaving its organisation, they buried their ‘command and control’ calls home in these traffic flows, in the hope that they would evade detection,” he said.

Organisations are increasingly turning to encryption to improve their security posture and to comply with industry regulations. However, Yaacoubi said this presents the challenge of scanning this traffic to identify and block threats.

The most commonly used method requires organisations to decrypt all the traffic entering and leaving their networks, before scanning and re-encrypting it. However, he said this approach raises concerns around compliance, scalability, certificate management and latency.

“Hackers understand the challenges organisations face with this approach, so are increasingly turning to encrypted traffic flows as a vector of attack.”

Behavioural analytics

An alternative method – as adopted by the bank in this instance – is to scan the metadata of the encrypted traffic, using behavioural analytics and artificial intelligence to understand normal traffic patterns, and to alert on any anomalies.

By looking at hundreds of different metrics in combination, the security firm said it is able to risk score each encrypted traffic session in real-time without the need for decryption.

“For many organisations, it simply isn’t feasible to decrypt all of the encrypted traffic traversing their networks in order to check for threats because it has too big a hit on network performance and could put them in breach of compliance regulations,” said Yaacoubi.

“However, by using behavioural analytics to assess traffic metadata, it’s possible to scan all encrypted traffic for malware without embarking on the cumbersome process of decryption. This means every data packet can be scrutinised for malware before it enters or leaves the network. It was this very granular approach that caught out the hackers on this occasion.

Read more about AI-based security

Indications are that North Korea’s cyber heist campaign has been active for at least three years, with malware links found to the attempted $1bn heist from the Bangladesh central bank in February 2016. Fortunately, a spelling error alerted banking officials, which meant the attackers netted a mere $81m.

Since then, several other money-stealing cyber attacks against financial institutions and cryptocurrency exchanges have been linked to North Korea.

In January 2018, security researchers said the Lazarus Group, believed to be linked to the North Korean government, was behind attacks on cryptocurrency exchanges in South Korea.

The hacking group had previously been linked to several other campaigns, including the devastating 2014 cyber attack on Sony Pictures Entertainment and the global WannaCry attacks in 2017.

In August 2018, Kaspersky security researchers identified the same group as being behind attacks targeting cryptocurrency exchanges using Trojanised cryptocurrency trading software designed for both Microsoft’s Windows and Apple’s Mac OS.

Most recently, North Korean cyber attack groups were identified by a CrowdStrike report as being among those increasingly targeting mobile devices.

Mobile malware running on the Android operating system is most prevalent, the report said, driven by the ease of installing new applications from third-party sources.

Read more on Hackers and cybercrime prevention

Data Center
Data Management