New wave of cyberattacks against global banks linked to Lazarus cybercrime group

Dozens of banks -- particularly in the United States and Poland -- have been targeted by newly identified malware.
Written by Danny Palmer, Senior Writer

Almost 20 US banks have been specifically targeted by Lazarus hackers.

Image: iStock

An aggressive campaign of malware attacks against dozens of banks across the globe has been linked to the notorious cybercriminal group known as Lazarus.

The hacking gang, active since 2009, has been involved in a number of aggressive cyberattacks against financial institutions, including the theft of $81m from the Bangladesh Bank's US Federal Reserve.

Now the group continues to be a thorn in the side of organisations across the globe as banks in 31 countries have been targeted in a new wave of attacks by Lazarus that began in October last year.

This latest wave of attacks came to light when a Polish bank discovered previously unknown malware on its network and shared indicators of compromise with other institutions, a number of which also found they'd fallen victim to the malware.

The source of the attack is suspected to have been the website of the Polish financial regulator, which was compromised by hackers who used a watering hole attack to redirect visitors to an exploit kit. This exploit kit infected specific targets with malware that's instructed to only infect visitors from around 150 different IP addresses.

While these are mostly banks, a small number of telecommunications and internet firms have also been targeted by this malware scheme, which takes aim at 104 organisations in 31 countries. Banks in Poland and the United States are most targeted by Lazarus in this attack, which also hit a number of banks in Central and South America.


Top countries targeted by Lazarus attackers since October 2016.

Image: Symantec

The malware used in the latest attacks was previously unidentified, but researchers at Symantec have analysed the malicious software and have discovered that the code shares common traits with the Lazarus group.

Identified as Ratankba, the malware contacts a command-and-control hub before downloading HackTool, a virus that shares distinctive characteristics associated with Lazarus. In addition to targeting banks, the Lazarus gang has also been linked to a Trojan attack on Sony Pictures Entertainment's internal network.

Naturally, acting as large depositories of both money and financial data, banks are a lucrative target for hackers and therefore constantly face persistent and sophisticated cyberattacks, with institutions across the globe continually having their defences tested.

Read more on cybercrime

Editorial standards