Opsec fail allows researchers to track Bangladesh Bank hack to North Korea

The North Koreans were sloppy with their log data scrubbing, according to Kaspersky.
Kim Il-Sung Square, Pyongyang North Korea

A computer in North Korea was used to launch one of the most high profile cyberattacks in recent memory, enabling hackers to break into the Federal Reserve Bank of New York and steal $81 million from Bangladesh Bank, according to new research conducted by Moscow-based Kaspersky Lab.

Kaspersky published original details about the incident Monday during the first day of a security conference hosted by the company on the Caribbean island of St. Maarten.

An apparent and rare operational security mistake made by the advanced hacking group, known as Lazarus Group, allowed researchers to spot a connection that existed between a compromised European server — used by the group to launch its attacks — and an internet address owned by North Korea’s only internet service provider.

The hackers reportedly failed to scrub log files on the European server, leaving a trail of digital bread crumbs back to the foreign computer.


Lazarus’ ties to North Korea are well-documented by myriad of different private sector cybersecurity researchers. In 2014, the FBI also called out Lazarus for hacking into Sony Pictures, providing a rare instance of public attribution by U.S. law enforcement.

Traditionally, Kaspersky will not attribute cyber incidents to any specific threat actor. The new report is no different, though researchers do note that they believe the Federal Reserve breach appears to be related in some manner to North Korea.

The new research report — titled “Lazarus Under the Hood” — at least helps to cement the attribution claims surrounding Lazarus and it showcases additional evidence that the Hermit Kingdom engages in financially motivated cybercrime.

Publicly accessible research authored by a cohort of cybersecurity firms suggests that Lazarus has been active since at least 2009.

The group, which is commonly described as an advanced persistent threat, was actively hacking into European financial institutions as recently as January 2017, Kaspersky researchers found. An exploit commonly attributed to Lazarus, which had been used against targets last year in Poland, was again used in recent bank heists.


Lazarus has been known to use various different hacking tools, including outdated, publicly known software exploits that only work on older versions of popular products, like Adobe Flash Player and Microsoft Silverlight, to breach companies.

“To date, the Lazarus/Bluenoroff group has been one of the most successful in large scale operations against financial industry,” Kaspersky’s research report reads, “we believe that it will remain one of the biggest threats to the banking sector, finance and trading companies as well as casinos, for years to come.”

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts