Researchers at BAE Systems investigated the recent cyber-heist that targeted a bank in Taiwan and linked the action to the notorious Lazarus APT group.
The activity of the Lazarus APT Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.
According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.
The Lazarus group, tracked by the U.S. government as Hidden Cobra, seems to be behind recent attacks against U.S. defense contractors, likely in cooperation with other hacker groups.
Back to the recent attack, hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank.
Reports of $60M being stolen are not correct, the overall amount actually stolen by the hackers were considerably lower.
The hackers transferred the money outside the island, but the bank claimed it had managed to recover most of it.
The Sri Lanka police have recently arrested two men allegedly involved in the cyberheist, the suspects are accused to have hacked into computers at a Taiwan bank and stole millions of dollars
Researchers at BAE Systems have identified some of the tools used in the cyber heist and linked them to the Lazarus‘s arsenal.
Researchers believe attackers used a piece of ransomware known as Hermes as a distraction tactic. According to researchers at McAfee, the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, a circumstance that suggests it wasn’t used for a different purpose, distraction.
“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”
Lazarus operators likely used the Hermes ransomware on the bank’s network to interfere with the investigations and destroy evidence of their attack.
To read the original articel: http://securityaffairs.co/wordpress/64445/apt/lazarus-apt-taiwan-heist.html