Evidence is emerging of links tying a spate of Asian bank breaches involving the SWIFT network to North Korea's malicious hacking Lazarus Group. The evidence has been brought to light by Aaron Shelmire senior threat researcher at cyber-security threat intelligence company Anomali.
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network for financial institutions worldwide to send and receive information about financial transactions in a secure, standardised format.
According to CNN, the so-called Lazarus Group has already broken into Bangladesh's central bank and stolen US $101 million (£70 million). The group is also thought to have perpetrated attacks in banks located in Ecuador, the Philippines and Vietnam.
SWIFT, we know we have a problem
SCMagazineUK.com has already reported on news of SWIFT stating that it will update cyber-security policies as result of heists already carried out. Anomali Labs now claims to have evidence of stronger ties between North Korea and these banking attacks.
Shelmire explains that malware analysts at Symantec discovered two subroutines that were shared amongst Lazarus Group's Operation Blockbuster malware and two samples of malware from the recent SWIFT attacks. The shared subroutines are displayed as evidence to relate the SWIFT intrusion activity.
Symantec's analysis was utilised in a The New York Times story on May 27, 2016 and its findings supported a claim that these were the only two pieces of software with this shared code.
“The Anomali Labs team has conducted deeper research into a very large malware data repository,” writes Shelmire, on his firm's company blog.
Yada, yada, YARA
“This process utilised the YARA signature to search for the shared subroutines. At first, we believed it would produce a lot of false positives. Instead, this search not only failed to result in any false positives, but also turned up five other pieces of malware, which share this code. We see this as a possible attribution of the Lazarus group attacks to other attacks that involved these same five pieces of malware code,” he added.
As detailed here, YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA, malware researchers can create descriptions of malware families (or whatever they want to describe) based on textual or binary patterns.
In a list of malware families and samples known to include the Lazarus Wipe File routine, Anomali Labs has highlighted a selection of code including: SMBWorm, a known and recognisable chunk of North Korean malware, plus also imkrmig.exe, an unknown backdoor posing as a Korean sample of Microsoft Office 2007.
“Our approach to code comparison was to utilise Position Independent Code function hashes to compare the samples against one another. This process utilises cryptographic hash values derived from the instruction mnemonics within the binary code. By performing this comparison, we can see the direct overlap of these shared functions between the various samples,” explains Shelmire.
The investigative process
The lab team in this instance began by taking a look at the two subroutines that are reported by Symantec to be unique. They then retrieved the API names and added those to a YARA signature. The team began a search of a large malware database starting on Thursday night. On Friday morning, they thought they would be faced with a sea of false positives. But it only returned 10 matches!
Four of those were known samples of the SWIFT malware and one sample was a zip file that includes a known SWIFT sample. Hence, Anomali has gone ahead and published both its findings and its feelings.
Nuclear-armed bank robbers?
Speaking to SCMagazineUK.com exclusively on this story, Leo Taddeo chief security officer at Cryptzone has said that he would ‘caution against' matching code from previous attacks as the sole indicator to attribute the recent SWIFT frauds to a group, such as Lazarus, or Nortsauh Korea.
“Sophisticated actors are very much aware that analysis of this type would reveal their past activity and perhaps their true identity. Most of these groups incorporate malware borrowed from previous attacks to throw investigators off their tracks. If, however, North Korea is in fact behind the recent attacks against the SWIFT system, it would make Kim Jong Un and the DPRK the world's first nuclear-armed bank robbers," added Taddeo.
Absolute verification of attribution is difficult to achieve, thus the views expressed are one analysis of the data uncovered. Leo Taddeo, chief security officer at Cryptzone warns: "Investigators should be cautious in assigning responsibility for the recent attacks on the SWIFT system. Any adversary that has the resources to develop highly customised malware is sure to know that strings of code are like fingerprints that could reveal their true identity. The perpetrators of this attack most likely used one or more techniques to cover their tracks, including borrowing malware known to be used by other groups.
"If, in fact, North Korea is behind this attack, it leaves governments and private network defenders with few good options. Changing the behavior of a nuclear-armed hacker state is not one of them. The only real recourse is to redouble efforts to harden networks against the most dedicated and well-resourced adversaries. The best first steps are proper segmentation and robust identity and access management."