New York, NY (BBN)- Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.
In three recent attacks on banks, researchers working for the digital security firm Symantec said, the thieves deployed a rare piece of code that had been seen in only two previous cases: the hacking attack at Sony Pictures in December 2014 and attacks on banks and media companies in South Korea in 2013, reports the New York Times.
Government officials in the United States and South Korea have blamed those attacks on North Korea, though they have not provided independent verification.
On Thursday, the Symantec researchers said they had uncovered evidence linking an attack at a bank in the Philippines last October with attacks on Tien Phong Bank in Vietnam in December and one in February on the central bank of Bangladesh that resulted in the theft of more than $81 million.
“If you believe North Korea was behind those attacks, then the bank attacks were also the work of North Korea,” said Eric Chien, a security researcher at Symantec, who found that identical code was used across all three attacks.
“We’ve never seen an attack where a nation-state has gone in and stolen money,” Mr. Chien added. “This is a first.”
The attacks have raised alarms in the global banking industry because the thieves gained access to Swift, a Brussels-based banking consortium that runs what is considered the world’s most secure payment messaging system. Swift’s system is used by 11,000 banks and companies to move money from one country to another — one reason that it is a tempting target for criminals.
Swift has warned publicly that the attacks are part of a broad coordinated assault on banks, though it has not assigned blame. It has also emphasized that it was the banks’ connection points to its network — and not the core Swift messaging network itself — that the attackers were able to breach.
Also, American bankers have noted that the security lapses all occurred at banks in third-world countries, which may give some comfort to banking customers in the United States.
Security researchers and American government officials have tied thousands of attacks to nations in the past. They have linked the United States and Israel to an attack that destroyed Iranian centrifuges, and the Chinese military and contractors to attacks that stole military and trade secrets from thousands of foreign entities.
But the latest spate of attacks on banks in Bangladesh and Southeast Asia would be the first time, security researchers say, that a nation has used malicious code to steal purely for financial profit.
The idea that Pyongyang had turned to digital theft would not be surprising. North Korea’s economy has been ravaged by sanctions, food shortages and other deprivations.
Pyongyang does not publish economic data, but estimates have put North Korea’s gross domestic product between $12 billion and $40 billion, tiny when compared with South Korea’s economic output of more than $1.4 trillion.
In the attack at Bangladesh’s central bank in February, the thieves tried to transfer $1 billion in funds from an account at the Federal Reserve Bank of New York. Fed officials became suspicious of the some of requested transfers and released only $81 million to accounts in the Philippines.
“If you presume it’s North Korea, $1 billion is almost 10 percent of their G.D.P.,” Mr. Chien said. “This is not small change for them.”
Symantec researchers said it was possible that the bank in the Philippines containing the North Korean code was also involved in the Bangladesh bank scheme and the attempted breach on the Vietnamese bank.
The researchers would not identify the Philippines bank and did not say whether the thieves had been successful in transferring funds.
Researchers were able to confirm only that the attackers had managed to breach the bank and install identical code strings on the bank’s computer systems — the same code that they discovered in Bangladesh, Vietnam and the two previous attacks at Sony in 2014 and South Korea in 2013.
Mr. Chien noted that the attackers not only used identical numbers but wrote the code in the same, unusual sequence across all three attacks.
Mr. Chien said the evidence pointed to all three attacks being the work of the “Lazarus Group,” a name his team gave to the attackers behind the Sony and South Korean attacks.
Officials have pointed to North Korea’s threat of “merciless countermeasures” against Sony if the studio released “The Interview,” a movie by Seth Rogen and Evan Goldberg that made fun of North Korea and includes a fictional assassination of its leader.
F.B.I. analysts also note critical mistakes North Korean hackers made, such as logging into their attack servers from known North Korean Internet addresses and even logging into both their Facebook account and Sony’s servers from the same computers.
In the months since evidence of the attacks involving the Swift network started to emerge, investigators have been looking for commonalities at numerous other potential breaches.
It remains unclear whether these breaches are connected to the ones in Bangladesh and Vietnam, but they too have occurred in or around Southeast Asia.
There is no evidence to date that the thieves have gone after large American or European banks, though new possible attacks are being reported weekly.
Last week, evidence emerged that Banco del Austro, an Ecuadorean bank, was infiltrated by hackers who were also able to sneak onto the Swift network.
The thieves transferred several million dollars to accounts around the world, according to a lawsuit the bank filed in federal court in the United States against Wells Fargo, which facilitated one of the transfers.
Researchers have yet to unearth any of the code used in the Ecuador attack, but banking analysts say it is probably no coincidence that these attacks are happening in the developing world, where security measures tend not to be as tight as they are in financial hubs like New York and London.
Swift has issued numerous warnings in recent weeks urging banks to step up their security protocols. Analysts worry that the breaches could have a chilling effect on global finance; larger banks may become reluctant or even refuse to transact with smaller banks in the developing world unless they can have assurances that their networks have not been compromised by thieves and malware.
At a conference on Tuesday in Brussels, Swift’s chief executive, Gottfried Leibbrandt, said the recent attacks could do far more damage than breaches on retailers and telephone companies, which he said suffer largely reputational and legal hits.
“Banks that are compromised like this can be put out of business,” Mr. Leibbrandt said.
North Korea has long been known for creative attempts to generate badly needed hard currency. In the last decade, United States government officials accused North Korea of counterfeiting $100 bills, which were known as “superdollars” or “supernotes” because the fakes were nearly flawless.
The Federal Reserve began thwarting that effort by circulating a new $100 bill over the last three years that makes counterfeiting nearly impossible: The redesigned $100 is easier to authenticate and harder to replicate.
“North Korea is hurting for money,” said Herb Lin, the senior research scholar for cyberpolicy and security at Stanford University’s Center for International Security and Cooperation and a fellow at Stanford’s Hoover Institution. “They’ve been cut out of the financial system because of sanctions. They had been among the best counterfeiters in the world, and only recently have they been stymied in the counterfeiting of superdollars. If it’s true that we’ve cut them off from that, then it’s not at all surprising that they would turn to something else.”