North Korea Linked to Digital Attacks on Global Banks
Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.
In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014, and attacks on banks and media companies in South Korea in 2013. Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification.
On Thursday, the Symantec researchers said they had uncovered evidence linking an October attack at a bank in the Philippines with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.
周四，赛门铁克的研究人员表示，他们发现了一些证据，能将三起攻击事件联系起来。它们分别是去年10月菲律宾的一家银行遭受的攻击、去年12月越南先锋银行(Tien Phong Bank)受到的攻击，以及今年2月让孟加拉国中央银行损失逾8100万美元的攻击。
“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that the identical code was used across all three attacks.
“We’ve never seen an attack where a nation-state has gone in and stolen money,” Chien added. “This is a first.”
The attacks have raised alarms in the global banking industry because the thieves gained access to Swift, a Brussels-based banking consortium that runs what is considered the world’s most secure payment messaging system. Swift’s system is used by 11,000 banks and companies to move money from one country to another — one reason that it is a tempting target for criminals.
Swift has warned publicly that the attacks are part of a broad coordinated assault on banks, though it has not assigned blame. It has also emphasized that it was the banks’ connection points to its network — and not the core Swift messaging network itself — that the attackers were able to breach. Also, U.S. bankers have noted that the security lapses all occurred at banks in third-world countries, which may give some comfort to banking customers in the United States.
Security researchers and U.S. government officials have tied thousands of attacks to nations in the past. They have linked the United States and Israel to an attack that destroyed Iranian centrifuges.
But the latest spate of attacks on banks in Bangladesh and Southeast Asia would be the first time, security researchers say, that a nation has used malicious code to steal purely for financial profit.
The idea that Pyongyang had turned to digital theft would not be surprising. North Korea’s economy has been ravaged by sanctions, food shortages and other deprivations. Pyongyang does not publish economic data, but estimates have put North Korea’s gross domestic product between $12 billion and $40 billion, tiny when compared with South Korea’s economic output of more than $1.4 trillion.
In the attack at Bangladesh’s central bank in February, the thieves tried to transfer $1 billion in funds from an account at the Federal Reserve Bank of New York. Fed officials became suspicious of the some of requested transfers and released only $81 million to accounts in the Philippines.
在孟加拉国央行今年2月遭受的攻击中，窃贼试图从纽约联邦储备银行(Federal Reserve Bank of New York)转出10亿美元。联储官员开始对某些汇款请求心生怀疑，仅放出了8100万美元到菲律宾的账户上。
“If you presume it’s North Korea, $1 billion is almost 10 percent of their GDP,” Chien said. “This is not small change for them.”
Symantec researchers said it was possible that the bank in the Philippines containing the North Korean code was also involved in the Bangladesh bank scheme and the attempted breach on the Vietnamese bank.
The researchers would not identify the Philippines bank and did not say whether the thieves had been successful in transferring funds. Researchers were able to confirm only that the attackers had managed to breach the bank and install identical code strings on the bank’s computer systems — the same code that they discovered in Bangladesh, Vietnam and the two previous attacks at Sony in 2014 and South Korea in 2013.
Chien noted that the attackers not only used identical numbers but wrote the code in the same, unusual sequence across all three attacks.
Chien said the evidence pointed to all three attacks being the work of the “Lazarus Group,” a name his team gave to the attackers behind the Sony and South Korean attacks.
There is no evidence to date that the thieves have gone after large U.S. or European banks, though new possible attacks are being reported weekly. Last week, evidence emerged that Banco del Austro, an Ecuadorean bank, was infiltrated by hackers who were also able to sneak onto the Swift network. The thieves transferred several million dollars to accounts around the world, according to a lawsuit the bank filed in federal court in the United States against Wells Fargo, which facilitated one of the transfers.
迄今为止，没有证据表明窃贼把目标对准了美国或欧洲的大银行，但每周都有人反映可能出现了新攻击。上周出现的证据表明，入侵厄瓜多尔的Banco Del Austro银行的黑客，也能够偷偷潜入Swift的网络。该银行向美国的联邦法院提起诉讼，控告富国银行(Wells Fargo)。诉讼显示，窃贼将几百万美元转移至全球多个账户，富国银行为其中一笔转账业务提供了协助。
Researchers have yet to unearth any of the code used in the Ecuador attack, but banking analysts say it is probably no coincidence that these attacks are happening in the developing world, where security measures tend not to be as tight as they are in financial hubs like New York and London.
Swift has issued numerous warnings in recent weeks urging banks to step up their security protocols. Analysts worry that the breaches could have a chilling effect on global finance; larger banks may become reluctant or even refuse to transact with smaller banks in the developing world unless they can have assurances that their networks have not been compromised by thieves and malware.
At a conference on Tuesday in Brussels, Swift’s chief executive, Gottfried Leibbrandt, said the recent attacks could do far more damage than breaches on retailers and telephone companies, which he said suffer largely reputational and legal hits.
“Banks that are compromised like this can be put out of business,” Leibbrandt said.