North Korean hacking crew among the prime suspects

The recent cyber-attacks on Banco de Chile that resulted i the theft of $10 million have fit the pattern of ongoing assaults against small and medium-sized financial institutions.

Security researchers agree that since around 2016 banks have been targeted in malware-powered cyber-heists, but they remain somewhat at odds on who the likely culprits are.

A North Korean state hacking crew is among the prime suspects, although Russian cybercriminals have also been slated as the possible offenders of the latest robberies.

The wiper malware used in May’s Banco de Chile attack, which thrashed as many as 9,000 workstations and 500 servers, was similar to the Buhtrap malware used against multiple Russian financial institutions, according to threat Intel firm Flashpoint.

Buhtrap malware and its components, including MBR Killer, caused losses of RUB97 million ($1.23 million) and forced one bank to disconnect from the Russian electronic payment system.

The MBR Killer component leaked to the underground in February 2016, Flashpoint added.

Flashpoint researchers reverse engineered the malware linked to the attack against Chile’s largest financial institution on May 24, before concluding that the malicious code was a modified version of MBR Killer, which renders the local operating system and the Master Boot Record unreadable.

Smokescreen

The wiper malware, however, was reportedly just a cover for a deeper attack against endpoints handling sensitive transactions and messaging over the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network.

Banco de Chile general manager Eduardo Ebensperger said that the hack affected branch services and telephone banking as well as the bank’s internal network.

The bank subsequently apologized for the disruption to customer service, which lasted some days, as the stolen $10 million passed through entities in Hong Kong, likely just a waypoint to its eventual destination.

The attack in Chile follows shortly after a January incident affecting several banks in Mexico that resulted in approximately $15.4 million in losses. The banks were using a Sistema de Pagos Electrónicos Interbancarios (SPEI) interbank transfer system.

Flashpoint said this was separate from another run of malware attack targeting Mexican financial institutions around the same time, with possible attribution to North Korea.

Flashpoint said it was “not able to analyze the malware targeting Mexican financial institutions, though the FBI associated the attack with North Korean malware”.

Mexican financial publication El Financiero named the culprit of the January attack as ‘Fallchill’ – a North Korean remote administration tool (RAT).

Flashpoint concludes: “At this time, there does not appear to be a connection between attacks against Mexico’s banking institutions and the purported attack on Banco de Chile because the tactics, techniques, and procedures (TTP) used by the threat actors differ.”

“The similarities between the malicious code used in Chile and the leaked code from 2016 are in the use of the same NSIS script, below, in both instances. NSIS, or Nullsoft Scriptable Install System, is an open source system used to build Windows installers,” it added.

Trend Micro reckons that the wiper variant involved in the May attack in Chile – contrary to suggestions from Flashpoint – was connected to the foiled heist in Mexico in January.

Hackers used a variant of the KillDisk wiper malware as a smokescreen before targeting systems linked to the SWIFT inter-bank transfer network, according to Trend Micro.

Flash crash

The SWIFT network is used for secure communications and money transfers between financial institutions.

The $81 million theft from a Bangladesh central bank account at the New York Federal Reserve Bank was blamed on a hack of SWIFT's Alliance Access software.

A second, apparently related, hit a commercial bank in Vietnam soon after. Both used malware the pushed unauthorized SWIFT money transfer messages while deleting logs.

Unnamed commercial banks in the Philippines and Ukraine were targeted in follow-up assaults. And an early 2015 attempted heist against Banco del Austro in Ecuador was retrospectively linked to the same run of attacks.

SWIFT is proactively trying to help its customers to secure their locally managed infrastructure by publishing best practice guides, among other forms of advice.

Western intelligence agencies, such as the NSA and GCHQ, as well as private cybersecurity firms, blame elements from the North Korean state for the looting of funds held by the Central Bank of Bangladesh and follow-up attacks on banks, the 2014 attack on Sony Pictures and much more on a long and growing rap sheet.

Attributions are based on the use of the same particular malware strains, attack control infrastructure and other tactics.

The so-called Lazarus Group (AKA Hidden Cobra) is controlled by Bureau 121, a division of the Reconnaissance General Bureau, a North Korean intelligence agency, according to Moscow-based Group-IB.