The proliferate North Korean state-sponsored hacker group Lazarus, believed to be behind numerous high-profile cyberattacks against global financial and government institutions, appears to have focused again on international banks. Lazarus is now suspected to have been behind the recent Taiwan bank cyberheist, which saw hackers steal millions from the Far East International Bank.
The cyberattack on the bank involved hackers stealing money by compromising the bank's SWIFT network. The stolen funds were then transferred to several overseas beneficiaries in Sri Lanka and Cambodia – countries where Lazarus' bank heist activities have previously been detected.
According to security experts at BAE Systems, the recent bank hack is reminiscent of the $81m (£61m) Bangladesh Bank cyberheist, with similar malware and hacking tools used to carry out the attack. The malware used in the Taiwan bank hack was the same previously used by Lazarus against banks in Poland and Mexico. In the Taiwan bank heist, the hackers also used a variant of the Hermes ransomware, presumably "as a distraction or cover-up".
Tracking the money
According to BAE Systems researchers, on 3 October, some of the stolen funds were transferred to the Bank of Ceylon. The very next day, an individual allegedly withdrew Rs 30m ($195,330; £147,350) from the bank. The unknown individual was arrested two days later when he allegedly returned to withdraw an additional Rs 8m ($52,000; 39,290).
Although local reports stated that the hackers stole around $60m from the Taiwanese bank, the exact amount of the stolen funds is still unclear. The BAE Systems researchers said "the amounts actually stolen were considerably lower" and that the Far East International Bank has already recovered most of the stolen funds.
Lazarus is believed to be the cybertool of the dictatorial regime of North Korea for making money for the impoverished country, as it faces increasing international sanctions amid rising tensions. Apart from being involved in various attacks against global banks, the group is also believed to have orchestrated the historic WannaCry ransomware epidemic. Security experts that previously uncovered the hacker group's recent activities said Lazarus has also targeted ATMs and gambling sites, to make money for the Kim Jong-un regime. However, the Taiwan bank hack may indicate the group's intention of once again targeting banks.
"Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered. The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim's network as a smokescreen for their other activity," the BAE Systems researchers said in a blog.
"It's likely they'll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding," the researchers added.