Lazarus: Who is behind the attacks on the bank transfer system SWIFT



    The interbank SWIFT system is experiencing hard times. In February 2016, due to the imperfection of SWIFT, hackers managed to withdraw $ 81 million from the Central Bank of Bangladesh - we wrote about this story . Subsequently, it turned out that this is not the only case of hacking SWIFT. Back in January 2015, the Ecuadorian Bank Banco del Austro in Ecuador also became a victim of intruders . In addition, the fact of an unsuccessful attack on the Vietnamese Tien Phong Bank from Vietnam, which was not previously reported, was released.

    Symantec antivirus experts have been investigating hacking cases to find out who could be behind these crimes and kidnapping millions of dollars from financial institutions from around the world.

    Attack on Banco del Austro in Ecuador


    An attack on a bank in Ecuador occurred in January 2015. As a result of the cyber attack, $ 9 million was stolen. The criminal scheme is similar to that used by criminals earlier in the attack on the Central Bank of Bangladesh. It is assumed that the attackers used a program that could read files on the computers of banks using the SWIFT system, bypassing local security measures. Hackers used the obtained access to the bank for 10 days. During this time, the program sent false requests through SWIFT to Wells Fargo Bank in San Francisco and initiated transfers of funds to accounts in Hong Kong, Dubai, New York and Los Angeles.

    The fact of hacking was kept secret. It was made public only in May 2016, when the affected bank filed an application with the New York Federal Court. The lawsuit filed by Banco del Austro against Wells Fargo presented claims for the full amount that was stolen.

    SWIFT executives made an official statement that the networks, software and basic messaging services of the system were not compromised, but the hackers who carried out the attack very well understood the specifics of control over operations in the damaged bank.

    Lazarus Group


    According to Symantec experts, the hacker group Lazarus could be behind the attacks described above. This community has existed for many years, for the first time hackers were active in 2007-2009.

    The graphs of their activity indicate that the group members live in the GMT + 8 or GMT + 9 belt. In addition, their working day is at least 15-16 hours a day. “Lazarus Group is probably the most hardworking APT group we have studied (and there have been many of them in recent years),” say Kaspersky Lab employees.

    Over the past time, attackers have created more than 45 families of malicious applications, which was successfully used in the field of cyber espionage, as well as in attacks aimed at destroying data and disabling a variety of systems. According to experts, it was the Lazarus group that was responsible for the devastating attack on the Sony Pictures Entertainment film company in 2014.

    Experts from technology company Symantec found evidence of the identity of cyber attacks on Sony Pictures, Central Bank of Bangladesh, banks in Vietnam and the Philippines. North Korean hackers usedall hacks have the same specific code. In addition, special methods of erasing traces of presence in infected systems, as well as techniques by which they avoided detection by anti-virus programs, indicate the involvement of Lazarus groups in all these incidents. As a result, dozens of different digital attacks, the organizers of which were unknown until recently, boil down to one source - Lazarus.

    Representatives of the company Symantec say that if information is confirmed that the attacks were organized by the DPRK, this will be the first case in world history when the state engages in theft through hacking.

    Why is it DPRK


    North Korea is in dire need of money. The country's economy suffers from sanctions and food shortages. Pyongyang does not publish economic data, but according to some estimates, North Korea’s GDP fluctuates between $ 12 billion and $ 40 billion. It is possible that the DPRK government will resort to criminal measures to supplement the budget.

    For example, the country has become a place of production of counterfeit money - U.S. government officials have repeatedly accused North Korea of ​​faking hundred-dollar bills, which were known as superdollars or supernotes, because the fakes were almost indistinguishable from the original.

    Eric Chien, security specialist at Symantec, does not rule out that DPRK makes cyber attacks to get money. “When hacking into Bangladesh’s Central Bank account, hackers tried to steal $ 1 billion, which is almost 10 percent of North Korea’s estimated GDP for 2014, so this idea is quite plausible,” he says .

    How to protect SWIFT


    To isolate the threat that may come from North Korea, the banking system of this country can be disconnected from the world - this measure is discussed as a sanction. In addition, the Russian Kaspersky Lab, the American Novetta, AlienVault, and Symantec announced in the winter of 2016 that they would conduct a large-scale joint operation, Blockbuster. The stated purpose of the operation is to stop the group of hackers Lazarus.

    However, the administration of the SWIFT system does not rely solely on the efforts of experts from antivirus companies. Despite the fact that the financial transfer system does not officially take responsibility for incidents, the organization nevertheless developed 5 measures with the help of which it hopes to help improve the situation in the field of cybersecurity.

    1. SWIFT intends to significantly improve the exchange of information between participants in the entire global financial community. According to SWIFT CEO Gottfried Leibbrandt, financial institutions, fearing to discredit their activities, rarely report cases of hacker attacks. Such silence only exacerbates the situation and does not prevent subsequent attacks on the banking sector.
    2. In addition, it is planned to tighten security rules for software used by banks.
    3. SWIFT will develop and offer its customers a special “payment order control program”. With its help, it will be possible to identify suspicious activity at an early stage.
    4. The system is also going to improve its recommendations and develop a safe system for auditing in banks for its customers.
    5. In addition, it is planned to introduce requirements for third-party software providers.

    The implementation of the proposed measures will cost financial corporations a round sum. However, only through the joint efforts of all industry representatives will it be possible to achieve results.

    “SWIFT is not omnipotent, we are not a regulator, we are not a policeman. Success depends on the participation of all interested parties in and around the industry, ”says Leibrandt.

    Former SWIFT CEO Leonard Schrank believes the mistakes will, of course, be fixed. However, it will be increasingly difficult to repel hacker attacks each time, as financial institutions attract high-level crackers.

    Financial companies develop various security measures on their own - they can be used not only to combat the consequences of hacks, but also common IT system errors. For example, errors in the operation of exchange systems can also lead to incorrect display of trade data or incorrect calculation of guarantee security to hold a position (an error can even lead to premature closing of a transaction)

    In order to minimize possible damage, brokerage companies develop various protection systems customers. You can read about how such protection is implemented in the ITinvest MatriX trading system at the link .

    Also popular now: