Cyberattacks on International Banks Show Links to Hackers Who Hit Sony

Hacks began late last year, installing unauthorized code on websites belonging to financial regulators

Researchers at Symantec and BAE Systems say that some of the software and internet infrastructure in the global hacking effort was also used in the Sony attack and—more recently—other attacks on banks in Asia.

Researchers at Symantec and BAE Systems say that some of the software and internet infrastructure in the global hacking effort was also used in the Sony attack and—more recently—other attacks on banks in Asia. PHOTO: DAVID BECKER/REUTERS
.

Updated Feb. 12, 2017 12:01 p.m. ET

Cybersecurity specialists have found evidence suggesting that recent attacks on institutions in Poland are part of an international hacking effort targeting financial institutions in the U.S., Mexico and the United Kingdom—an attack that shares traits with the 2014 attack on Sony Corp.

The hacks began late last year, installing unauthorized code on websites belonging to financial regulators, then using those to attack computers belonging to a select list of global financial institutions, according to researchers who have examined the attacks at security vendors Symantec Corp. and BAE Systems PLC.

It is unclear to the researchers exactly how many banks were compromised or whether any suffered financial losses. But the researchers say it appears to be part of a well-organized and broad hacking effort that shares links to other attacks including the devastating 2014 hack that destroyed systems and exposed email messages at Sony Pictures Entertainment. U.S. officials have said North Korea was responsible for that attack. North Korea has denied that, though said its supporters might have done it.

Researchers at BAE Systems and Symantec say that some of the software and internet infrastructure in the global effort was also used in the Sony attack and—more recently—other attacks on banks in Asia. Security researchers call the North Korea-linked group they believe is behind these attacks “Lazarus.” It has been active since 2009, according to Kaspersky Lab ZAO, a Russian cybersecurity company.

If the recent attacks are indeed by Lazarus, it suggests the group is broadening its banking attacks. The group’s bank hacking previously had focused on Asia, said Eric Chien, technical director of Symantec’s Security Technology and Response division. “We never saw them do anything, for example, to the U.S., let alone Europe,” he said. “Now we see them targeting the U.S. and Europe.”

In November the Federal Bureau of Investigation warned U.S. financial institutions that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

The FBI didn’t respond to requests for comment about the latest attacks.

The attacks started in October by compromising the website of the Polish Financial Supervision Authority, an incident that was reported last week by the Badcyber.com blog. The hackers programmed that website to attack banking computers that visited the site, the researchers say.

Security investigators call this technique a “watering hole.” It lets criminals use one common access point to break into a range of other organizations. In this case, by infecting a website commonly visited by banking employees, the hackers could hope to spread malicious software onto computers within the financial institutions on their list, said Adrian Nish, head of BAE Systems’ Threat Intelligence team.

A Polish Financial Supervision Authority spokesman confirmed that the regulator had “identified an external attempt to interfere in the operating IT system,” and had turned over evidence of the incident to law enforcement after restoring the website. The Polish National Police Agency didn’t immediately respond to a request for comment Friday.

The hackers programmed the hacked web servers to attack computers only if they originated from a short-list of approximately 75 institutions—an apparent effort to keep a lower profile and help evade detection, the researchers say.

This list includes 19 financial institutions in Poland, 15 in the U.S., nine in Mexico, and seven in the U.K., said BAE Systems, which declined to name the institutions.

The attacks also compromised a website belonging to Mexico’s financial regulator, the National Banking and Securities Commission, and a state-run bank in Uruguay, Dr. Nish said. A spokeswoman for the National Banking and Securities Commission said that it has seen no evidence that its computers were compromised. “During the past weekend, we received notice of a coordinated attack addressed to banking institutions world-wide,” she said. “Our Security Operations Center performed a thorough inspection, from which no abnormal behavior was detected.” The Commission’s investigation is continuing she said.

The attacks, with their use of the “water hole” technique, appear to be more sophisticated than previous Lazarus attacks, Dr. Nish and Mr. Chien said. In the shadowy world of cybersecurity, code can be stolen and reused, which makes the business of linking attacks to specific actors time consuming and often inexact. Dr. Nish, at BAE, said he has a “high confidence” that the group involved is Lazarus. “We know the tools that they’re using very well and we know the infrastructure they’re using and their tactics,” Dr. Nish said. “And we can strongly confirm that the tools that have been found on the bank networks and in these [website] attacks are part of the group’s tool kit.”

Mr. Chien said that Symantec hadn’t yet done analysis required to definitively make the connection, but that the tools used in these latest attacks are linked to Lazarus tools used in the past.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

 

Advertisements

Tags: , , , , , , , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: