According to three people with knowledge of the matter cited by Cyberscoop the attacks were carried by North Korea-linked APT groups that targeted also other banks
Recent attacks hit Mexico’s Bancomext and Chile’s Bank of Chile, in both cases the attackers used a variant of the dreaded disk wiper KilllDisk to infect the systems of the banks and steal funds through the SWIFT payment system.
“North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.” states Cyberscoop.
“Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.”
Investigations conducted by many security firms on past security breaches always linked North Korea to the attacks against the SWIFT systems.
At the time it is not clear attack vector, but experts believe hackers targeted the banks with spear phishing campaigns or using credentials obtained from other breaches.
Bancomtext and Bank of Chile aren’t the only victims of the hackers, the Mexican financial institution Banorte suffered a similar security breach.
“SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.” reads statement send by a SWIFT spokesperson via email.
Once the hackers have penetrated the organizations, they will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials and make fraudulent and irrevocable transfers.
Attackers also adopted “diversionary smokescreens” by using wiper malware to make hard the attribution of the attack and the response to the incidents.
“Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.” added CyberScoop.
“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”
The use of the MBR Killer alone doesn’t represent an evidence of the involvement of a specific threat actor because its code was posted to a cybercrime forum and was reused by a wide range of actors.
In this case, forensic experts collected other indicators suggesting the involvement of the North Korea’s “Lazarus Group” in Latin America.
“CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”” concludes CyberScoop.
Even if the attackers attempted to destroy any evidence, the analysis of TTPs allows attributing the attack to Pyongyang.
“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson added.
According to the Mexican financial media outlet, El Financiero hackers compromised Mexico’s interbank transfer system, aka “Sistema de Pagos Electrónicos Interbancarios” (SPEI), with the FALLCHILL, a RAT associated with North Korea-linked APT groups.
(Security Affairs – SWIFT hackers, North Korea)