Emma Okonji
Kaspersky Lab, a global cyber security company with intelligence and security expertise to detect online financial fraud, has published the results of its more than a year-long investigation into the activity of the latest virus called Lazarus, that caused the biggest financial fraud ever.
The report linked Lazarus to a notorious hacking group allegedly responsible for the theft of $81 million from the Central Bank of Bangladesh in 2016.
During the forensic analysis of artifacts left by the group in South-east Asia and European banks, Kaspersky Lab said it reached a deep understanding of what malicious tools the group uses and how it operates while attacking financial institutions, casinos, software developers for investment companies and crypto-currency businesses around the world. This knowledge has helped to interrupt at least two other operations which had one goal – to steal a large amount of money from financial institutions.
In Nigeria, there has been heavy financial theft amounting to billions of naira and the Central Bank of Nigeria, in collaboration with financial technology solution providers, has come up with new measures to address the ugly trend.
According to Kaspersky report, in February 2016, a group of hackers, unidentified at that time, attempted to steal $851 million, and managed to transfer $81 million from the Central Bank of Bangladesh. This is considered to be one of the largest, most successful cyber hit ever.
Further investigation conducted by researchers from different information technology (IT) security companies including Kaspersky Lab revealed a high chance that the attacks were conducted by Lazarus – a notorious cyber espionage and sabotage group responsible for a series of regular and devastating attacks, and known for attacking manufacturing companies, media and financial institutions in at least 18 countries around the world since 2009.
Although several months of silence followed the Bangladesh attack, the Lazarus group was still active. They had been preparing for a new operation to steal money from other banks and, by the time they were ready, they already had their foot in a financial institution in South East Asia. After being interrupted by Kaspersky Lab products and the following investigation, they were set back for another few months, and later decided to change their operation by moving to Europe. But Europre, their attempts were interrupted by Kaspersky Lab’s security software detections, as well as the quick incident response, forensic analysis, and reverse engineering with support from company’s top researchers, the report said.
Based on the results of the forensic analysis of these attacks, Kaspersky Lab researchers were able to reconstruct the modus operandi of the group, the report further said.
Analysing the initial compromise, the report revealed that a single system inside a bank was breached either with remotely accessible vulnerable code on a webserver or through a watering hole attack through an exploit planted on a benign website. Once such a site is visited, the victim’s (bank employee) computer gets malware, which brings additional components.
Subsequently the group spends days and weeks learning the network, and identifying valuable resources. One such resource may be a backup server, where authentication information is stored, a mail server or the whole domain controller with keys to every “door” in the company, as well as servers storing or processing records of financial transactions.
Finally, they deploy special malware capable of bypassing the internal security features of financial software and issuing rogue transactions on behalf of the bank, the Kaspersky report revealed.
According to Kaspersky Lab records, from December 2015, malware samples relating to Lazarus group activity appeared in financial institutions, casinos software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries. The latest samples known to Kaspersky Lab were detected in March 2017, showing that attackers have no intention of stopping.
