Bank-Attack Hackers Use Russian Decoys

The hackers behind a sophisticated attack campaign that has recently targeted financial organisations around the world have intentionally inserted Russian words and commands into their malware in an attempt to throw investigators off.

Researchers from cybersecurity firm BAE Systems have recently obtained and analysed additional malware samples related to an attack campaign that has targeted 104 organisations, most of them banks, from 31 different countries.

They found multiple commands and strings in the malware that appear to have been translated into Russian using online tools, the results making little sense to a native Russian speaker.

"In some cases the inaccurate translations have transformed the meaning of the words entirely," the researchers said in a blog post. 

"This strongly implies that the authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a 'false flag'."

This unusual behaviour is most likely intended to make attribution harder and throw investigators on a false lead. In reality there is technical evidence to link these malware samples and the overall attack campaign to a group known in the security industry as Lazarus.

This group has been active since at least 2009 and has been responsible for various attacks against government and private organizations from South Korea and the US over the years.

Lazarus is believed to have been responsible for the 2014 attack against Sony Pictures Entertainment that resulted in sensitive data being leaked from the company and many of the company's computers being rendered inoperable. The FBI and other U.S. intelligence agencies attributed that attack to North Korea.

The Lazarus group has also been linked to the theft of US$81 million from the central bank of Bangladesh last year. In that attack, hackers used malware to manipulate the computers used by the bank to operate money transfers over the SWIFT network. They attempted to move $951 million in total, but some transactions failed and others were successfully reversed after the heist was detected.

Recently a malware attack that affected multiple banks in Poland came to light. The attack is believed to have involved exploits launched from the compromised website of the Polish Financial Supervision Authority.

Researchers from BAE Systems and Symantec have tied the Polish attack to a larger campaign that has been going on since October and involved multiple watering-hole-style compromises. The websites of the National Banking and Stock Commission of Mexico and the largest state-owned bank from Uruguay have also been infected in a similar manner.

The malware programs used in these attacks bear code similarities to tools attributed in the past to the Lazarus group.

There are several cyber-criminal gangs of Russian origin that specialise in targeting banks. These groups use spear-phishing to gain a foothold into banks' networks and then learn the organisations' internal procedures before they begin to steal money. 
BAE Systems' research suggests that Lazarus might be trying to make its activity blend in with that of these Russian-speaking cyber-criminals.

Computerworld:

Banks Lack Confidence They Can Detect Data Breaches:

Security Directly Impacts The Bottom Line At Banks:

 

« Estonian Honey Trap
Keeping The Cloud Safe: Exclusive Report »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

F5 Networks

F5 Networks

F5 products ensure that network applications are always secure and perform the way they should—anywhere, any time, and on any device.

Arsenal Insurance Company

Arsenal Insurance Company

Arsenal is an insurance provider based in Moscow, Russia. Services offered include Cyber Risk insurance.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

ATIA

ATIA

ATIA provides consulting services in the design and implementation of IT system, Information Security, ISO certification, and professional IT training and education.

SevenShift

SevenShift

SevenShift is a security consulting firm with a wealth of experience in the worlds of Cybersecurity and Internet of Things (IoT).

Cyber Pathways

Cyber Pathways

Cyber Pathways brings together the next generation of Cyber professionals along with delegates who are looking to cross train and enter the cyber market.

AiCULUS

AiCULUS

AiCULUS is a global technology company that specializes in API security and Risk Management products.

LiveAction

LiveAction

LiveAction provides end-to-end visibility of network and application performance from a single pane of glass.

Secret Intelligence Service (SIS - MI6)

Secret Intelligence Service (SIS - MI6)

The UK’s Secret Intelligence Service, also known as MI6, has three core aims: stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

Synoptek

Synoptek

Synoptek is a global systems integrator and managed IT services provider (MSP). We offer comprehensive IT management and consultancy services to organizations worldwide.

CyFlare

CyFlare

CyFlare’s security platform integrates your tools with ours – delivering true positives, automated remediation, and interactive analytics built for security management teams.

Pacific Certifications

Pacific Certifications

Pacific Certifications provide accredited certification, training and support services to help you improve processes, performance and products and services.

Zyxel Networks

Zyxel Networks

Zyxel Networks is a leading provider of secure, AI-powered networking solutions for small to medium businesses (SMBs) and the enterprise edge.

Potech

Potech

Potech provides masterful services in Information & Technology and Cybersecurity to multiple markets across the world.

TDi Technologies

TDi Technologies

TDI Technologies' flagship solution ConsoleWorks, is an IT/OT cybersecurity and operations platform for Privileged Access Users.