The probe into the $81m (£56m) cyber-heist at the Bangladesh central bank has taken a strange turn as security researchers from BAE Systems claim to have linked the malware used in the attack to the online siege against Sony Pictures in 2014.
Many, including experts in the US government, believe the cyberattack against Sony was the work of hackers affiliated with the North Korean government. Could the reclusive nation really be involved in this latest incident?
The BAE report, titled Cyber Heist Attribution, claims what initially appeared to be an isolated attack against one bank has turned out to be larger in scope than previously thought.
"Our research into malware used on Swift-based systems running in banks has turned up multiple bespoke tools used by a set of attackers," the report stated. "What initially looked to be an isolated incident at one Asian bank [has] turned out to be part of a wider campaign."
The malware samples
BAE said its research found links between the recent banking hacks and malware found during the Operation Blockbuster investigation after pouring over "tens of millions" of samples related to the Bangladesh incident. As previously reported, the Blockbuster investigation focused on a group dubbed Lazarus which used very specific malware strains in large-scale cyberattacks. It included malware that eventually led the FBI to conclude the North Korean government was involved with the now infamous attack against Sony, a charge the Pyongyang-based government has denied.
"The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade," the report said.
Additionally, according to BAE, other malware similarities exist in the Bangladesh hack example, including with the encryption keys used and a number of names of programming elements known as "mutual exclusion objects". "The links come through the code, which bears the hallmarks of a single, consistent coder," said Adrian Nish, BAE's head of threat intelligence.
The malware analysed that links the two incidents is called "msoutc.exe" and, according to BAE, matches the strain described by a US CERT alert in 2015 which warned about malware used in the Sony cyber-hit.
So, however unlikely it seems, the BAE findings correlate with research from cybersecurity firm FireEye, which is formally investigating the cyber-heist, which identified the digital trail of hacker groups from North Korea and Pakistan. When contacted by IBTimes UK, FireEye declined to comment.
The attribution problem
Of course, it is famously difficult to attribute the source of cyberattacks. Sophisticated hackers are able to use "false flags" to falsify an origin of attack or even include foreign language into code to throw investigators off the scent. Additionally, malware can be reused, sold or shared between cybercriminals.
Yet despite listing a number of these alternative explanations in its report BAE said it believes they remain "unlikely".
"It is possible that this particular file-delete function [used in the hack] exists as shared code, distributed between multiple coders who look to achieve similar results. However, we have noted that this code isn't publically available or present in any other software after searching through tens of millions of files," the report states.
"Whilst there are possibilities that exist which may lead to alternative hypotheses, these are unlikely and as such, we believe that the same coder is central to these attacks," it adds, however stops short of naming culprits. "Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone."
Faced with the possibility of nation-state involvement, a Bangladesh Bank spokesman told Reuters: "We have engaged forensic experts to investigate the whole thing, including this."
The Vietnam bank
As noted, the number of victimised banks has recently expanded. Swift, the messaging and transaction systems used to connect 11,000 financial institutions across the world, has revealed it found sophisticated malware had targeted a second commercial bank.
According to BAE, its analysis suggests the bank is located in Vietnam however did not confirm the exact firm or branch. Swift officials, who also declined to name the bank, refused to elaborate whether any funds had been stolen or any computer systems compromised in the second bank attack.
As previously reported, forensic experts said the second case showed that the Bangladesh heist "was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks".
The initial breach at the Bangladesh central bank occurred in early February as criminals orchestrated a scheme to steal a massive $951m from the bank's account at the Federal Reserve in New York. Even after being thwarted by a typo on one communications sent via Swift, the hackers were able to get off with a massive $81m.
In the subsequent probe, officials from around the world have pointed the finger at each another in regards to taking responsibility. Most recently, officials in the Bangladesh police force alleged that Swift technicians introduced weaknesses into the bank's systems that left it wide open to hacking.
Mohammad Shah Alam, the head of the criminal investigation department of Bangladesh police, said: "We found a lot of loopholes. The changes caused much more risk for Bangladesh Bank." This was refuted by Swift, which denied any allegations of foul play.
"Swift rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID)," it said in a statement. "The accusations have no basis in fact."
However, evidence also emerged that while Swift may have been a bigger challenge for hackers to compromise, the bank's own security was severely lacking. After the hack, reports emerged the institution failed to use a firewall and deployed cheap routers to connect to Swift's secure messaging system.
In any case, the investigation is ongoing. The most recent report from BAE is only likely to throw fuel onto the fire – as the inclusion of nation-state activity, if true, will turn this already concerning cyberattack probe into a scenario that could have global political ramifications.