Security researchers believe that recent cyberattacks against global banks and financial institutions could be the work of the Lazarus group, the North Korea-linked hacker group, widely considered to be behind the Sony hack and other more recent attacks against financial institutions. Financial institutions across 31 countries are believed to have been targeted by the cybercriminals.
The hackers are believed to have employed "watering hole" techniques to infect predetermined targets with previously unknown strains of malware. However, security researchers and investigators are yet to find any evidence of the attacks having actually led to thefts from banks. Researchers claim that the cyberattack originated from the compromised website of the Polish financial regulator, which saw hackers redirect visitors of the site to an exploit kit, in an attempt to infect select targets with malware.
According to security researchers at Symantec and BAE Systems, the malware used in the attacks, dubbed Ratankba, shares several coding similarities with malware previously used by the Lazarus group. Eric Chien, technical director of Symantec's Security Technology and Response division, said the Lazarus group's previous campaigns focused on targeting Asian organisations. "We never saw them do anything, for example, to the US, let alone Europe," he said, the Wall Street Journal reported. "Now we see them targeting the US and Europe."
The watering hole technique involves hackers leveraging one common access point to infiltrate multiple organisations. In this case, the hacked site of the Polish Financial Supervision Authority, which is commonly visited by banking employees, was likely used as the primary point of infection by the hackers hoping to spread the malware onto other systems, according to Adrian Nish, head of BAE Systems' Threat Intelligence team.
A Polish Financial Supervision Authority spokesman confirmed that the regulator had "identified an external attempt to interfere in the operating IT system", and had handed over evidence of the incident to law enforcement after restoring the website.
According to BAE Systems, the cyberattacks targeted 19 financial institutions in Poland, 15 in the US, nine in Mexico and seven in the UK. Researchers believe that the hackers compromised the websites of Mexico's financial regulator, the National Banking and Securities Commission, and a state-run bank in Uruguay.
However, a spokeswoman for the National Banking and Securities Commission said it has seen no evidence that its computers were compromised. "During the past weekend, we received notice of a coordinated attack addressed to banking institutions world-wide," she said. "Our Security Operations Centre performed a thorough inspection, from which no abnormal behaviour was detected." The Commission's investigation is continuing, she said.
Researchers noted that the attackers leveraged Silverlight Flash exploits to infect targets' systems with malware.
Nish and Chien believe that the recent attacks appear to be more sophisticated than previous cyberattacks launched by the Lazarus group. Although conclusive attribution in such cases is difficult, Nish has "high confidence" that the Lazarus group is involved in the attacks. "We know the tools that they're using very well and we know the infrastructure they're using and their tactics," he said. "And we can strongly confirm that the tools that have been found on the bank networks and in these [website] attacks are part of the group's tool kit."