Hackers responsible for $80M bank heist show 'no signs of stopping'

Lazarus, linked to the famous Bangladeshi bank heist, is probing Southeast Asia and Europe in the hunt for fresh targets.
Written by Charlie Osborne, Contributing Writer
(Image: ZDNet)

The cybercriminals allegedly responsible for an attack on Bangladesh's central bank, which left the country's wallet millions of dollars lighter, is showing "no signs of stopping," according to security experts.

The group, dubbed Lazarus, managed to dupe banking staff into transferring $80 million from the Central Bank of Bangladesh's New York Federal Reserve account after spending several months studying how the financial institutions communicated and conducted transfers.

In February 2016, cyberattacker made over three dozen large and rapid money requests from the account by using stolen SWIFT credentials, a financial messaging system used by banks worldwide for transactions.

The group, unidentified at the time, attempted to steal a total of $851 million and were able to make off with $80 million, sent to agents in the Philippines and Sri Lanka, before a simple typographical error was spotted by an employee that raised the red flag needed to prevent additional transfers going through.

The Bangladesh bank heist is considered one of the "largest, most successful cyber heists ever," according to Kaspersky, and on Monday at the Kaspersky Security Analyst Summit in St. Maarten, researchers Vitaly Kamluk and Aleks Gostev from the cybersecurity firm said Lazarus is the subject of an investigation that has continued for over a year in relation to the theft.

Investigations conducted by the cybersecurity firm and BAE Systems suggest there is a high chance the attacks were conducted by Lazarus, known for debilitating attacks on entities including manufacturing companies, media, and financial institutions in at least 15 countries worldwide since 2009.

Bitcoin-related websites have also been compromised by the group recently, which suggests the group may be interested in the theft of virtual currency for laundering purposes.

Evidence including similar malware being used in related cases and wipers pointed the cybersecurity experts in the direction of Lazarus, and it is believed at least several individuals were involved in the heist.

Kaspersky said that a sub-group, dubbed Bluenoroff, is also potentially involved in modern cyberattacks against financial institutions. The group does not have its own command-and-control (C&C) systems, but act more like "engineers," according to Gostev, as they are not interested in false flag operations or concealing their tracks -- unlike Lazarus -- but do make use of the same toolkit.

There were also distant connections present by following infection chains back through servers, some of which are believed to be controlled by the Lazarus group.

Kaspersky said that following the successful $80 million theft, the group laid low for several months. However, Lazarus was not sitting on its laurels; instead, the group was preparing for a fresh operation to steal money from other banks.

Lazarus had set its sights on financial entities in Southeast Asia and then Europe, but it was caught in both attempts.

Lazarus first breaches a single system inside a bank by way of vulnerable web servers or through watering hole attacks. Once a bank employee has been lured to websites baited with malicious code, the trap springs and the malware, when executed, bring in additional tools to compromise the financial institution's systems.

The threat actor's toolkit allows Lazarus to migrate to other bank hosts and to deploy persistent backdoors, allowing them to spy on bank activities for months on end, learning the network and giving them the opportunity to identify the most valuable resources hosted financial systems.

"One such resource may be a backup server, where authentication information is stored, a mail server or the whole domain controller with keys to every "door" in the company, as well as servers storing or processing records of financial transactions," the researchers said.

Once these resources have been identified, Lazarus then deploys what Kaspersky calls "special malware," which is able to bypass the internal security features of financial software and issue rogue transactions on behalf of legitimate parties.

The recent spate of Lazarus attacks in Southeast Asia and Europe were investigated for a number of weeks, but the researchers admit this could have been going under the radar for months.

Since December 2015, malware samples connected to Lazarus have appeared in financial institutions, banks, casinos, and systems used by software developers for investment companies in countries including Korea, India, Bangladesh, Thailand, Vietnam, and Costa Rica.

As the last known sample was found in March 2017, the research team believes Lazarus has "no intention of stopping" anytime soon, and rather than stop after failed attempts, Gostev said that cyberattackers would simply "evolve" and refine their approaches.

The Kaspersky team were able to continue tracking Lazarus for months, but now the threat actors have gone quiet -- at least, for now.

"We're sure they'll come back soon," said Kamluk. "In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss."

"We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus," the researcher added.

Disclosure: The trip to St. Maarten was sponsored by Kaspersky.

VIDEO: This attack uses a phone's camera to crack Android pattern locks

5 things you should know about VPNs

Editorial standards