Lazarus: Who is behind the attacks on the SWIFT bank transfer system

The interbank SWIFT system is experiencing hard times. In February 2016, due to the imperfection of SWIFT, hackers managed to withdraw $ 81 million from the Central Bank of Bangladesh - we wrote about this story . It later emerged that this is not the only case of SWIFT hacking. Back in January 2015, the Ecuadorian Banco del Austro Bank in Ecuador also became a victim of intruders. In addition, the fact of the unsuccessful attack on the Vietnamese Tien Phong Bank from Vietnam, which was not previously reported.

Experts from the anti-virus company Symantec investigated the frequent cases of hacking to understand who could be behind these crimes and the abductions of millions of dollars from financial organizations from around the world.
')

Attack on Banco del Austro in Ecuador

The attack on the bank in Ecuador occurred in January 2015. As a result of a cyber attack, $ 9 million was stolen. The criminal scheme is similar to the one used by criminals in an attack on the Central Bank of Bangladesh. It is assumed that the attackers took advantage of a program that can read files on bank computers using the SWIFT system, bypassing local security measures. Hackers enjoyed access to the bank for 10 days. During this time, the program sent fake requests through SWIFT to Wells Fargo Bank in San Francisco and initiated money transfers to accounts in Hong Kong, Dubai, New York and Los Angeles.

The fact of hacking was kept secret. It was made public only in May 2016, when the affected bank filed an application to the New York Federal Court. In the lawsuit filed by Banco del Austro against Wells Fargo, there are claims to return the entire amount that was stolen.

The SWIFT management made an official statement that the networks, software and basic messaging services of the system were not compromised, but the hackers who carried out the attack understood very well the specifics of control over operations in the affected bank.

Lazarus group

According to Symantec experts, the hacker group Lazarus could be behind the attacks described above. This community has existed for many years, the first time hackers have been active in 2007-2009.

The graphs of their activity indicate that the group members live in the belt GMT + 8 or GMT + 9. In addition, their working day is at least 15-16 hours a day. “Probably, the Lazarus Group is the most hardworking APT group of all we have studied (and there have been a lot of those in recent years),” Kaspersky Lab employees report .

Since that time, attackers have created more than 45 families of malicious applications that have been successfully used in cyber espionage, as well as in attacks aimed at destroying data and disabling a variety of systems. According to experts, the Lazarus group is responsible for the destructive attack on the Sony Pictures Entertainment film company in 2014.

Experts from the technology company Symantec found evidence of the identity of cyber attacks at Sony Pictures, the Central Bank of Bangladesh, banks in Vietnam and the Philippines. North Korean hackers used the same specific code in all hacks. In addition, the Lazarus groupings indicate special methods for erasing traces of their presence in infected systems, as well as the techniques by which they avoided detection by antivirus programs, for their involvement in all these incidents. As a result, dozens of various digital attacks, the organizers of which until recently were unknown, boil down to one source - Lazarus.

Representatives of the company Symantec declare that if it is confirmed that the attacks were organized by the DPRK, this will be the first case in world history when the government is engaged in theft through hacking.

Why is it the DPRK

North Korea is in dire need of money. The country's economy suffers from sanctions and food shortages. Pyongyang does not publish economic data, but according to some estimates, North Korea’s GDP fluctuates between $ 12 billion and $ 40 billion. It is possible that the DPRK government will resort to criminal measures to replenish the budget.

For example, the country became a place of production of counterfeit money - US government officials have repeatedly accused North Korea of ​​counterfeiting hundred dollar bills, which were known as superdollars or supernotes, because the fakes were almost indistinguishable from the original.

Eric Chien, a security specialist at Symantec, does not rule out that the DPRK is carrying out cyber attacks to get money. “If the Bangladesh Central Bank account was hacked, the hackers tried to steal $ 1 billion, which is almost 10 percent of the estimated DPRK GDP for 2014, so this idea is quite plausible,” he said .

How to protect SWIFT

To isolate the threat that may come from North Korea, the banking system of this country can be disconnected from the world - this measure is discussed as a sanction. In addition, the Russian “Kaspersky Lab”, the American Novetta, AlienVault and Symantec in the winter of 2016 announced the holding of a large-scale joint operation “Blockbuster”. The stated purpose of the operation is to stop a group of Lazarus hackers.

However, the administration of the SWIFT system does not rely solely on the efforts of experts from anti-virus companies. Despite the fact that the financial transfer system officially does not take responsibility for the incidents that have occurred, the organization has nevertheless developed 5 measures, with the help of which it hopes to contribute to improving the situation in the field of cyber security.

1. SWIFT intends to significantly improve the exchange of information between members of the entire global financial community. According to SWIFT CEO Gottfried Leibbrandt, financial institutions, fearing to discredit their activities, rarely report cases of hacker attacks. Such silence only aggravates the situation and does not allow to prevent subsequent attacks on the banking sector.
2. In addition, it is planned to tighten the security rules for the software used by banks.
3. SWIFT will develop and offer its customers a special “payment control program”. With its help, it will be possible to identify suspicious activity at an early stage.
4. The system also intends to improve its recommendations and develop a secure system for conducting an audit in banks for its clients.
5. In addition, it is planned to introduce requirements for third-party software vendors.

The implementation of the proposed measures will cost the financial corporations a round sum. However, only the common efforts of all representatives of the industry will be able to achieve results.

“SWIFT is not omnipotent, we are not a regulator, we are not a policeman. Success depends on the participation of all stakeholders in and around the industry, ”says Leibbrandt.

Former SWIFT CEO Leonard Schrank (Leonard Schrank) believes that mistakes, of course, will be corrected. However, repelling hacker attacks will be harder each time, as financial institutions attract high-level crackers.

Financial companies are developing various means of protection and independently - they can receive not only the struggle against the consequences of hacks, but also the usual errors of IT systems. For example, errors in the operation of stock exchange systems can lead to incorrect display of trade data or incorrect calculation of the collateral to hold a position (an error can even lead to a premature closing of the transaction)

In order to minimize possible damage, brokerage companies are developing various systems to protect customers. How this protection is implemented in the ITinvest MatriX trading system can be found here .