Cyber attacks on banks vai the Swift payments system in Bangladesh, Vietnam and the Philippines used the same malware, reports Symantec.
Just two weeks ago the Society for Worldwide Interbank Financial Telecommunication (Swift) warned of a highly adaptive campaign targeting banks.
Swift has since acknowledged that the heist involved altering Swift software to hide evidence of fraudulent transfers, but it said its core messaging system was not harmed.
Swift is a global member-owned co-operative that provides secure financial messaging services that connect more than 11,000 financial services organisations in more than 200 countries and territories.
Commenting on the incidents Swift said he attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at the banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
Swift said the cyber criminals had used malware to manipulate PDF document reports confirming the messages to hide their tracks.
In the earlier cases, Swift said it appeared that insiders or cyber attackers had obtained user credentials and submitted fraudulent money transfer requests.
In addition to this, Symantec said some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus.
Symantec believes the attacks on the banks are linked and were possibly carried out by the same group.
They believe this because of similarities in distinctive wiping code between Trojan.Banswift used in the Bangladesh attack and early variants of Backdoor.Contopee, which has been used in limited targeted attacks against the financial industry in south-east Asia.
Symantec believes distinctive code shared between families – and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region – means these tools can be attributed to the same group.
Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.
The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment.
The group was the target of a cross-industry initiative known as Operation Blockbuster earlier in 2016, which involved major security suppliers sharing intelligence and resources to assist commercial and government organisations in protecting themselves against Lazarus.
As part of the initiative, security firms are circulating malware signatures and other useful intelligence related to these attackers, but Symantec said the discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region.
While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant, Symantec said.