lolloj - Fotolia

Cyber attacks on at least three Asian banks share malware links

Cyber attacks on banks in Bangladesh, Vietnam and the Philippines used the same malware, which has links to other attacks on banks in the region, reports Symantec

Another bank has been targeted by cyber criminals in a similar way to the Bangladesh central bank and the Tien Phong Bank in Vietnam, reports Symantec.

Symantec found evidence that a bank in the Philippines was targeted by the same malware used in the theft of $81m from an account at the New York Federal Reserve belonging to the Bangladesh central bank, as well as in the attempted theft of $1m from the Tien Phong Bank.

The news comes just two weeks after the Society for Worldwide Interbank Financial Telecommunication (Swift) warned of a highly adaptive campaign targeting banks.

Swift has since acknowledged that the heist involved altering Swift software to hide evidence of fraudulent transfers, but it said its core messaging system was not harmed.

Swift is a global member-owned co-operative that provides secure financial messaging services that connect more than 11,000 financial services organisations in more than 200 countries and territories.

Commenting on the incident at the Tien Phong Bank, Swift said he attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at the bank and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.

Swift said the cyber criminals had used malware to manipulate PDF document reports confirming the messages to hide their tracks.

In both the earlier cases, Swift said it appeared that insiders or cyber attackers had obtained user credentials and submitted fraudulent money transfer requests.

Banks targeted by malware worldwide

According to Symantec, the same malware was used against the bank in the Philippines.

In addition to this, Symantec said some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus.

A third bank, Banco del Austro in Ecuador, was also reported to have lost $12m to attackers using fraudulent Swift transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.

But Symantec believes the attacks on the other banks are linked and were possibly carried out by the same group.

They believe this because of similarities in distinctive wiping code between Trojan.Banswift used in the Bangladesh attack and early variants of Backdoor.Contopee, which has been used in limited targeted attacks against the financial industry in south-east Asia.

Symantec believes distinctive code shared between families – and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region – means these tools can be attributed to the same group.

Threat group Lazarus linked with attacks

Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.

The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment.

The group was the target of a cross-industry initiative known as Operation Blockbuster earlier in 2016, which involved major security suppliers sharing intelligence and resources to assist commercial and government organisations in protecting themselves against Lazarus.

As part of the initiative, security firms are circulating malware signatures and other useful intelligence related to these attackers, but Symantec said the discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region.

While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant, Symantec said.

The Symantec report comes just days after a report from FireEye that banks in the Middle East are being targeted by a “wave” of cyber attacks using advanced social engineering tactics to entice users to open malicious macro-enabled Microsoft Office documents.

Without divulging the banks involved, FireEye’s Dynamic Threat Intelligence (DTI) team said it had identified emails containing malicious attachments being sent to multiple banks in the region.

The researchers said the attacks appeared to be part of an initial reconnaissance campaign to determine would-be targets.

Read more about cyber crime

Read more on Hackers and cybercrime prevention