A string of devastating bank hacks across Latin America all carry North Korean fingerprints, according to three people with knowledge of the matter.
Several high profile incidents that were only recently disclosed, including breaches at Mexico’s Bancomext and Chile’s Bank of Chile, saw the attacker drop destructive malware after attempting to leverage the SWIFT payment system to siphon money through fraudulent transfer requests.
North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.
Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.
Historically, the only nation state-linked hacking group that’s been known to manipulate SWIFT is believed to be associated with the North Korean regime. It’s not yet clear how hackers breached the banks, although email phishing and password reuse is thought to be a common cause. As a result, a total of more than $15 million was stolen in recent months.
Bancomtext and Bank of Chile did not respond to a request for comment. Banorte, another Mexican financial institution that was similarly affected by a data breach, referred to a previous statement.
Amid an ongoing diplomatic effort by the U.S. to mend relations with North Korea, the string of recent bank hacks is raising bells inside other global financial institutions, especially in Latin America, Eastern Europe and Southeast Asia. In these three specific regions, North Korean-linked hacking groups have been ramping up operations, the sources said.
In an emailed statement, a SWIFT spokesperson said: “SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.”
Once inside, attackers will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials, create fraudulent messages and initiate the irrevocable transfer process, the spokesperson described, adding that SWIFT would not comment on individual clients or incidents.
“In a final step, the attackers [have previously] also tampered with statements and confirmations and deployed diversionary smokescreens, thereby delaying the victims’ ability to recognize the fraud.”
These “diversionary smokescreens” described by SWIFT have largely come in the form of wiper malware since 2017, which corrupts or otherwise destroys data on an already infected system.
The attribution assessment concerning a North Korean-linked hacking group was described to CyberScoop as “medium confidence,” based on an internal analysis of the attacker’s tools, tactics and procedures (TTPs).
Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.
“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”
KillDisk gained infamy in 2016 when a Russian-linked hacking team used the tool to disrupt systems that control the Ukrainian electric grid. It’s use by North Korea is not as well documented.
MBR Killer was also originally blogged about for its use by a Russian cybercrime gang who successfully stole millions of rubles from Russian banks. Several years ago, the complete computer code behind MBR Killer got posted to a cybercrime forum where it was then adopted by a wide range of actors.
Exposing MBR Killer to a wide audience is making attribution more difficult, but forensic analysts also obtained other indicators suggesting North Korea’s “Lazarus Group” was the actual culprit in Latin America.
CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”
This is not the first time North Korean hackers have attempt to disguise their tracks through the use of either “false flags” or open-source hacking tools. However, Pyongyang’s penchant for destructive malware appears to be more novel.
In an interview with local press, the CEO of Bank of Chile Eduardo Ebensperger said that hackers meant to “hurt the bank, not our customers.” This comment matches up with the behavior described by CyberScoop’s sources and other confidential reports.
“It is the same MO across these attacks, targeting SWIFT to steal directly from the banks, rather than targeting the banks’ customers,” Merces said.
Notably, the aforementioned data destruction technique was not able remove all evidence that pointed to North Korea. Because of how SWIFT functions, it allowed the banks to access records about odd transfer requests.
“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson explained.
Today, SWIFT is sharing active cyberthreat intelligence about hacking attempts with multiple different private cyber defense groups, including the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Cyber Defense Alliance (CDA).
A Mexican financial publication, El Financiero, reported earlier this year that hackers breached Mexico’s interbank transfer system, known as the “Sistema de Pagos Electrónicos Interbancarios” (SPEI), by using a remote access trojan (RAT) named “FALLCHILL.” This RAT is associated with prior North Korean cyber-espionage operations against foreign telecommunications firms.
The connection between the Bank of Chile incident and Mexican banking breaches had not been previously reported.