Opsec fail allows researchers to track Bangladesh Bank hack to North Korea
A computer in North Korea was used to launch one of the most high profile cyberattacks in recent memory, enabling hackers to break into the Federal Reserve Bank of New York and steal $81 million from Bangladesh Bank, according to new research conducted by Moscow-based Kaspersky Lab.
Kaspersky published original details about the incident Monday during the first day of a security conference hosted by the company on the Caribbean island of St. Maarten.
An apparent and rare operational security mistake made by the advanced hacking group, known as Lazarus Group, allowed researchers to spot a connection that existed between a compromised European server — used by the group to launch its attacks — and an internet address owned by North Korea’s only internet service provider.
The hackers reportedly failed to scrub log files on the European server, leaving a trail of digital bread crumbs back to the foreign computer.
Lazarus’ ties to North Korea are well-documented by myriad of different private sector cybersecurity researchers. In 2014, the FBI also called out Lazarus for hacking into Sony Pictures, providing a rare instance of public attribution by U.S. law enforcement.
Traditionally, Kaspersky will not attribute cyber incidents to any specific threat actor. The new report is no different, though researchers do note that they believe the Federal Reserve breach appears to be related in some manner to North Korea.
The new research report — titled “Lazarus Under the Hood” — at least helps to cement the attribution claims surrounding Lazarus and it showcases additional evidence that the Hermit Kingdom engages in financially motivated cybercrime.
Publicly accessible research authored by a cohort of cybersecurity firms suggests that Lazarus has been active since at least 2009.
The group, which is commonly described as an advanced persistent threat, was actively hacking into European financial institutions as recently as January 2017, Kaspersky researchers found. An exploit commonly attributed to Lazarus, which had been used against targets last year in Poland, was again used in recent bank heists.
Lazarus has been known to use various different hacking tools, including outdated, publicly known software exploits that only work on older versions of popular products, like Adobe Flash Player and Microsoft Silverlight, to breach companies.
“To date, the Lazarus/Bluenoroff group has been one of the most successful in large scale operations against financial industry,” Kaspersky’s research report reads, “we believe that it will remain one of the biggest threats to the banking sector, finance and trading companies as well as casinos, for years to come.”