SEOUL—Suspected North Korean hackers blitzed Turkish financial institutions and a government organization last week, seeking intelligence for a future heist, a new report says.
The attacks on March 2 and 3, identified by cyber researcher McAfee LLC in a Thursday report, attempted to lure targets with faux links to a popular cryptocurrency platform, allowing hackers to plunder sensitive information about the breached computer networks. The report doesn’t identify the entities struck. No money was taken.
“What you see here is the kind of precursor towards financial theft,” said Raj Samani, McAfee’s chief scientist, who described the hack as “casing the joint.”
As economic sanctions against North Korea have tightened over the past year, more of its cyberattacks have pursued financial gains, according to cybersecurity experts. North Korea has been suspected in digital raids of South Korean cryptocurrency exchanges last year. And recent targets have ranged from global banks to ATMs.
What makes the Turkish attacks unusual is how quickly hackers created software to exploit a recently revealed weakness in Adobe Flash, using the program to implant malware onto victim’s computers. Also unusual: how swiftly McAfee researchers unearthed the effort.
McAfee policy is to not officially identify nation-state cyber units as culprits. But its Thursday report said the malware code closely resembles code used in attacks by a North Korea-linked hacking operative—called Lazarus by many cyber researchers—that was blamed for last year’s WannaCry ransomware attack and the 2014 Sony Pictures hack.
Last week’s attacks, which McAfee calls the “Bankshot” implant—the malware is implanted in a file that infects computers—compromised a number of computers in Turkey, McAfee said, and some early indications also suggest more financial organizations across Europe were infected.
The Turkish campaign relies on malware that first appeared last year but was modified in recent weeks. The malicious files are distributed by spearphishing emails that contain Microsoft Word documents masquerading as an agreement template for bitcoin distribution, McAfee said.
To trick the Turkish targets into opening the attachment, the hackers sent the emails from an account with the domain name falcancoin.io—a name similar to that of a leading cryptocurrency lending platform, Falcon Coin.
Viewing the file downloads the malware onto the recipient’s computer, giving hackers remote access they can use to upload or download files or manipulate internal systems that could enable financial theft.
The Microsoft Word document had an embedded Adobe Flash file that exploited a problem for which a software patch had been distributed just weeks before. The attackers were betting users had not downloaded that update.
The attack shows the “weaponization” of such software holes, McAfee’s Mr. Samani said.
Once they have access, hackers can also pilfer internal organizational information for use in masking subsequent attacks. Even something as benign-seeming as printer names could be exploited: Recipients might be more apt to trust email attachments containing their office’s printer name, said Christiaan Beek, McAfee’s senior principal engineer.
To read the original article: