Shared malware code links SWIFT-related breaches at banks and North Korean hackers

Malware links suggest that North Korean hackers might be behind recent attacks against several Asian banks, including the theft of US$81 million from the Bangladesh central bank earlier this year.

Security researchers from Symantec have found evidence that the malware used in the Bangladesh Bank cyberheist was used in targeted attacks against an unnamed bank in the Philippines. The same malware was also previously linked to an attempted theft of $1 million from Tien Phong Bank in Vietnam.

Symantec confirmed the earlier findings of researchers from BAE Systems who found code similarities between the Bangladesh Bank malware, which was used to modify SWIFT transfers, and the malicious program used in attacks against Sony Pictures Entertainment in December 2014.

The U.S. government attributed the Sony attack to North Korea. FBI Director James Comey said last year he had “very high confidence” in that attribution despite denials from the North Korean government and the skepticism of some security researchers.

The hacker group behind the Sony attack is known in the computer security industry as Lazarus and has been active since at least 2009, primarily targeting organizations from the U.S. and South Korea. One of the malware programs in the group’s toolset is called Backdoor.Contopee.

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee,” the Symantec researchers said in a blog post.

Backdoor programs provide unauthorized access to a computer, but their presence doesn’t necessarily reveal the attackers’ end goal. However, the motivation for those targeted attacks became clearer when similar code was found in Trojan.Banswift, which was used in the Bangladesh attack to manipulate SWIFT transactions, and earlier versions of Backdoor.Contopee, the researchers said.

The primary link is a portion of code that wipes files using a unique routine. It is shared by Trojan.Banswift and Backdoor.Contopee.

The file-wiping code has not been found in other malware programs, and Backdoor.Contopee was used by Lazarus in targeted attacks against banks in the region. Those connections led the Symantec researchers to believe Trojan.Banswift was also created by the same group.

“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region,” the Symantec researchers say.

The announcement comes after a Bloomberg report that up to a dozen banks from Southeast Asia have hired security firm FireEye to investigate potential security breaches and SWIFT irregularities on their networks.