Security firm BAE Systems' analysis of the malware used in the $81m cyber theft from Bangladesh Bank in March has turned up links to the tools used in the 2014 attack on Sony Pictures.
BAE published its analysis on Friday shortly after payment network SWIFT announced that a second unnamed banking customer had been hit with malware to compromise the bank's use of the SWIFT messaging system.
SWIFT said the malware targeted a PDF reader used by the bank to check statement messages.
According to BAE, a Vietnamese commercial bank was infected with the same malware as the Bangladesh Bank, and its researchers believe the two banks are just the latest victims in a decade-long operation.
"What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base," BAE Systems security researchers Sergei Shevchenko and Adrian Nish said in a blog post published today.
While BAE's research turned up numerous custom malware tools, a common link between them was a wipe-out and file-deletion function in a file called msoutc.exe, which the researchers said had identical features to the malware used in the Sony attacks.
"The implementation of this function is very unique. It involves complete filling of the file with the random data to occupy all associated disk sectors, before the file is deleted," the researchers noted.
"The file-delete function itself is also unique. The file is first renamed into a temporary file with a random name, and that temporary file is also deleted."
The FBI blamed North Korea for the attack on Sony, but the Asian state denied any involvement. BAE's report follows claims by security firm FireEye, which has been hired by Bangladesh Bank to investigate its breach, that it found evidence that hacking groups from North Korea and Pakistan were behind the attack.
Other features that BAE found to link the recent bank attacks to the Sony breach were spelling errors and the exclusive use of Visual C++ 6.0 to develop the malware.
The BAE researchers note that attribution of an attack is hard and often impossible. However, they also argue they have established strong enough links to suggest it is the work of the same coder.
"While there are possibilities that exist which may lead to alternative hypotheses, these are unlikely and as such, we believe that the same coder is central to these attacks," the researchers wrote.
"Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone. However, this adds a significant lead to the investigation."
Read more on security
- Chrome security: Google fixes three high-severity bugs, pays $20k in bounties
- Severe 7-Zip vulnerabilities cause top security, software tools patch panic
- Tumblr discloses email security breach
- Adobe releases Flash update to fix critical security flaws
- Mozilla wants feds to turn over Firefox hack used to catch sex offender
- Ransomware: How high will the demands go?
- Microsoft Windows zero-day exposes companies to credit card data theft