North Korean APT Suspected in Another SWIFT Bank Heist

The Lazarus Group, an APT group believed to be operating within North Korea, is suspected of perpetrating another SWIFT network bank heist against Taiwan’s Far Eastern International Bank as officials discovered fraudulent attempts to wire approximately $60 million to banks located in Cambodia, Sri Lanka, and the US. Two individuals were arrested in Sri Lanka after attempting to withdraw large sums of money from accounts that received the stolen funds. The initial attack vector is believed to have been a spear-phishing campaign containing malicious Microsoft Office documents that, once opened, installed malware on bank employees’ systems. This malware then allowed the hackers to capture employees’ login credentials, gain entry, and move laterally through the bank’s network. After the breach was discovered, the Lazarus Group deployed the Hermes ransomware variant across the bank’s network in an attempt to destroy evidence of the intrusion. The Lazarus Group has also been tied to the $81 million SWIFT bank heist against the Bangladesh Bank in 2016. This recent activity is consistent with similar operations carried out by North Korean hackers, particularly the Lazarus Group, in recent years.The NJCCIC recommends network administrators within the financial services sector review the BAE Systems report and monitor and scan systems and networks for associated indicators of compromise. If Lazarus Group activity has been detected on your network, please report it to both the NJCCIC and the FBI as soon as possible.