It looks like a wave of cyberattacks targeting FIs in the U.S., Mexico, the U.K. and, most recently, Poland, may originate from the same source as the hack attacks against Sony in 2014.
According to researchers, the most recent wave of attacks shares traits with the Sony hack.
The hallmark of this round of attacks that kicked off last year involves installing malicious code on financial regulator websites and then using said sites as launching points for attacks against banks and other financial institutions, according to security researchers at Symantec Corp. and BAE Systems PLC.
How many banks were hit or what financial losses were taken as a result remains unknown to regulators, but the attacks do seem to be of a piece with the hacks that blew Sony Pictures open about two years ago. U.S. officials at the time had officially blamed North Korea for the hack — though North Korea has taken no official credit for the act of cyber-terrorism (they have allowed that one of their supporters might have been behind the attack).
Researchers at BAE Systems and Symantec believe the group behind the attacks this time around is called “Lazarus” — and that it is the same North Korea-affiliated group that hacked into Sony and a series of other banks in Asia, owing to similarities in the software used. An expansion into bank hacking would be a new move for Lazaurs — as would an expansion into the U.S. and Europe. The technique leveraged in this attack is called a “watering hole.”
Criminals use one common access point as their digital staging ground of attack against a variety of organizations. In the most recent Polish instantiation of this crime, the code on the Polish financial regulator’s site was placed to infect the systems of banking employees that frequent the site. The goal for the hackers would be to spread malicious software onto computers within the financial institutions on their list.
“We never saw them do anything, for example, to the U.S., let alone Europe,” noted Eric Chien, technical director of Symantec’s Security Technology and Response division. “Now we see them targeting the U.S. and Europe.”
The FBI officially warned U.S. FIs that it was specifically “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector,” back in November — but has offered no official comment on the latest hacks or the potential for North Korean involvement.
The latest variation on the watering hole tactic seems to be a bit more advanced than previous versions, though researches remain fairly certain that this is still the same Lazarus hacking group they’ve seen popping up for the last two years.
“We know the tools that they’re using very well and we know the infrastructure they’re using and their tactics,” one researcher noted. “And we can strongly confirm that the tools that have been found on the bank networks and in these [website] attacks are part of the group’s tool kit.”