How experts look for hackers who stole $ 81 million from the central bank of Bangladesh

Kaspersky Lab spoke at the Security Analyst Summit conference about the results of an investigation into the activities of the Lazarus cybergroup.

This is a well-known gang of hackers, allegedly responsible for the theft of $ 81 million from the Bank of Bangladesh in 2016 – the incident became one of the largest and most successful cyber robberies in history. Thanks to the investigation, which lasted more than a year, experts were able to study in detail the methods and tools of grouping and prevent at least two new thefts of large amounts from financial institutions.

After the attack on Bank of Bangladesh, the attackers lurked for several months and prepared for a new attack. They managed to settle in the corporate network of one of the banks of Southeast Asia, but were discovered by the Kaspersky Lab security solution. The investigation that followed forced Lazarus to suspend the operation for a while, after which the attack vector shifted to Europe. However, their attempts were again thwarted with the help of Kaspersky Lab products, as well as due to the rapid response and investigation of incidents.

The attacks investigated by Kaspersky Lab lasted for weeks, however, in stealth mode, hackers could work for months. This is exactly what happened in the incident in Southeast Asia. Attackers entered the banking network at least seven months before the bank’s security service turned to specialists for help.

In most cases, the attackers were careful and destroyed traces of penetration. Nevertheless, on one of the hacked servers that Lazarus used as a command center, experts discovered an important artifact. The first connections to the server were made through VPN and proxies, and it was practically impossible to track their location. However, experts also recorded one request from a rare IP address in North Korea. In their opinion, this may be due to one of the following reasons:

· Attackers connected to the server from this address from North Korea;

· The connection was a “false flag” designed to confuse experts;

· Someone from North Korea accidentally visited the server address.

Over the past two years, traces of malware related to Lazarus have been detected in 18 countries. The victims of the attacks were financial organizations, casinos, companies specializing in the development of software for investment firms, and representatives of the cryptocurrency business. The last surge in Lazarus activity dates back to March 2017: this means that the group is not going to stop.

“We are confident that Lazarus will soon make themselves known again. Such attacks show that even minor flaws in the network configuration can lead to serious security holes. These “holes” can cost a business hundreds of millions of dollars. Therefore, we hope that the leaders of banks, casinos and companies developing software for investment companies will pay due attention to the threat posed by Lazarus, ”commented Vitaliy Kamlyuk, head of the Kaspersky Lab research center in the Asia-Pacific region, who concluded the investigation.

During the investigation, Kaspersky Lab experts discovered more than 150 malware samples related to the group. All of them are successfully neutralized by Kaspersky Lab security solutions. A complete list of malware, as well as a list of critical indicators of compromise (Indicators of Compromise, IOC), which will help companies detect signs of an attack on their corporate network, are available in the Kaspersky Lab report:
Kaspersky Lab recommends that all companies check the corporate network for signs of an attack. If they are detected, the system should be cleaned with a protective solution, and an attack should be reported to law enforcement agencies and information security incident response teams.