A fourth bank hit by SWIFT hackers, are they backed by the DPRK

Pierluigi Paganini May 27, 2016

A fourth Bank in Philippines was a victim of the SWIFT hackers and experts at Symantec confirmed the malware shares code with tools used by the Lazarus group.

The list of banks victims of the SWIFT hackers is lengthening, a fourth bank in the Philippines has been a victim of the crew that targeted the SWIFT interbank transfer system.

Last week the media announced a third victim of SWIF hackers, attackers stole $12 Million from the Ecuadorian Bank Banco del Austro SA.

In  February hackers have stolen $81 Million from the Bangladesh central bank and a few days ago, the SWIFT (Society for Worldwide Interbank Financial Telecommunications) announced that a second commercial bank was a victim of a cyberheist, the crime appears to be part of a broad online attack on global banking.

Security experts speculate the existence of a high-skilled threat actor that is targeting the principal component of their infrastructure, the SWIFT.

When the second cyber heist was confirmed, Natasha de Teran, the SWIFT spokeswoman, revealed the existence with multiple similarities with the Bangladesh bank heist and added that both were very likely part of a “wider and highly adaptive campaign targeting banks.”

“The unusual warning from Swift, a copy of which was reviewed by The New York Times, shows how serious the financial industry regards these attacks to be. Some banking experts say they may be impossible to solve or trace.” the NY Times reported. “Swift said the thieves somehow got their hands on legitimate network credentials, initiated the fraudulent transfers and installed malware on bank computers to disguise their movements.”

According to the experts at Symantec, the SWIFT hackers have conducted multiple cyber attacks against financial institutions.

The same hacker group was also blamed for the theft of $12m from an Ecuadoran bank, Banco del Austro SA. Related strains of malware featured in attacks against these various banks, suggesting that the same group is behind multiple assaults, as Symantec explains.

The researchers at Symantec discovered that the hacking tools used by the gang share many similarities with the malicious code in the arsenal of the Lazarus APT.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

“Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.” reads the analysis published by Symantec.

“Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.”

The experts at Symantec have spotted at least three strains of malware, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee.” states Symantec”At first, it was unclear what the motivation behind these attacks werehowever code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”

The malware experts discovered that the Wiper used the SWIFT hackers is similar to the one in the Sony Pictures Hack.

SWIFT hackers 2

Symantec confirmed the discovery made by the security experts Sergei Shevchenko and Adrian Nish from BAE Systems that have collected evidence of the link between the malware used in the recent cyber attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.

“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group. Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.” continues the analysis published by Symantec. “The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.”

At this point we have two options, the North Korea is targeting the global financial or we are in front of a false flag operation conducted by someone that is conducting a diversionary operation relying on the code used in the Sony hack.

Stay tuned …

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.


Thank you


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SWIFT hackers, Bangladesh attack)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment