According to reports by The New York Times, security researchers are beginning to tie the recent run of Asian bank cyberheists to North Korea. If the connection bears out, it would be the first known case of a state sanctioning such attacks as a fundraising measure.
Symantec researchers have identified a rare section of code deployed in at least three recent bank attacks that had heretofore only been seen in two other cases. The first was an attack on banks and media companies in South Korea in 2013; the second was the hacking attack on Sony Pictures in Dec. 2014.
Both attacks have been officially credited to North Korea by officials in the United States and South Korea, though, as of yet, no independent verification of that has been provided.
Symantec researchers’ evidence reportedly ties an attack on a bank in the Philippines last October with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.
“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that identical code was used across all three attacks.
“We’ve never seen an attack where a nation-state has gone in and stolen money,” Chien added. “This is a first.”
The attacks have sent off warning bells worldwide, since the thieves found a way to tap into the SWIFT messaging system, which had been considered the world’s most secure payment message system. Worldwide, 11,000 banks and FIs are tied into SWIFT, and in recent weeks, the staggering amounts of money moved via the system have proven to be an incredibly enticing target.
SWIFT has warned about the dangers of the attacks and indicated its belief that they may all represent a broader coordinated assault on banks, while also highlighting that hackers are penetrating endpoints on the system, not the core of the system itself.
As for the rather unusual step of hacking for financial gain — as opposed to for intelligence reasons, as has been the case previously — it is not entirely surprising given the rather bleak economic situation of North Korea. Pyongyang does not publish economic data, but most estimates put North Korea’s GDP in the $12 billion to $40 billion range, as opposed to South Korea’s, which is well north of $1 trillion.
“If you presume it’s North Korea, $1 billion is almost 10 percent of their GDP,” Chien said. “This is not small change for them.”
And it seems increasingly possible that this is the case, given that the malware used in the attack not only used identical numbers but wrote the code in the same, unusual sequence across all three attacks.
So far, there is no data that indicates thieves are using similar methods to target large American or European banks, though new possible attacks are being reported weekly. Banco del Austro, an Ecuadorean bank, announced last week that it was cracked by hackers who were also able to sneak onto the SWIFT network. Several million went AWOL as a result.
It is unknown, as of yet, what code was used in the Ecuador attack.