A fourth bank, this time in the Philippines, has been attacked by hackers targeting the SWIFT inter-bank transfer system.
Security researchers at Symantec reckon the same group blamed for the infamous $81m Bangladesh central bank mega-heist back in February also mounted an earlier assault in the Philippines last year, itself part of a growing litany of assaults.
The same hacker group was also blamed for the theft of $12m from an Ecuadoran bank, Banco del Austro SA. Related strains of malware featured in attacks against these various banks, suggesting that the same group is behind multiple assaults, as Symantec explains.
Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee. At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.
Wiping code used to cover up the banking assaults matches that which featured in the Sony Pictures attacks, Symnatec’s researchers discovered. This commonality of tactics, techniques and procedures has allowed the security firm to point the finger of blame for the SWIFT bank hacks towards the same hackers who ransacked Sony Pictures network two years ago.
Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group. Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.
How deep does the rabbit hole go?
Evidence is emerging that the SWIFT (Society for Worldwide Interbank Financial Telecom) attacks began as far back as October 2015 when the Philippines bank was first hit, two months prior to the discovery of the failed attack on Tien Phong Bank in Vietnam.
Some of the tools used against the Philippines bank share code similarities with malware used in historic attacks linked to a threat group known as Lazarus, the group behind the Sony Pictures breach. The US government has consistently blamed North Korea for the Sony Pictures hack back in November 2014.
Stung by the growing catalogue of malfeasance, SWIFT chief exec Gottfried Leibbrandt announced security upgrades and better information sharing for its inter-bank transfer system earlier this week. SWIFT still maintains that the problems lie with the affected banks - it has said that their systems must have been compromised and credentials stolen – while acknowledging that it needs to do more to fight fraud.
The recent hacks highlight concerns about the cross-border payments system, as detailed in a informative feature by The Economist on SWIFT’s cybersecurity issues here. ®