Before hitting the Bangladesh Bank's US Federal Reserve account for $81 million in February, the group responsible for the attack tried their luck on a Philippine institution, Symantec has said.
In a blog post, the security vendor said that similarities in the code used in the malware in both attacks led it to conclude the attacks were from the one source.
"Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group," it said.
The company said the attacks on the Philippine bank occurred from October last year, and represent the earlier known attacks from the group.
"The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region," Symantec said.
Some of the code similarities mean the malware can be traced to Lazarus, a group linked with a trojan that was used in the attack on Sony Pictures.
"There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident ... this is a big deal. And it gets to the heart of banking," SWIFT chief executive Gottfried Leibbrandt said earlier this week.
In February, the SWIFT system of the Bangladesh central bank was hacked into, with thieves sending messages to the Federal Reserve Bank of New York that allowed them to steal $81 million.
The attackers have also been blamed for a $12 million theft from an Ecuadorean bank last year, and an unsuccessful attack on Vietnam's Tien Phong Bank.
Earlier this month, a trove of Symantec's products were found to be vulnerable to a buffer overflow when parsing malformed portable-executable header files.
On Windows, thanks to Symantec's scanning engine being loaded in to the kernel, the subsequent kernel memory corruption resulted in instant blue-screening. While on Linux, OS X, and other Unix-like systems, the buffer overflow resulted in a remote heap overflow as root in the Symantec or Norton process.
The attack could be invoked without any user interaction, and could occur via such events as receiving an email, downloading a document or application, or by visiting a malicious website.