Banco de Chile

Hackers have used a disk-wiping malware to sabotage hundreds of computers at a bank in Chile to distract staff while they were attempting to steal money via the bank's SWIFT money transferring system.

The attempted hack took place on May 24, this year. On that day, the Banco de Chile, the country's biggest bank, reported all-around systems failures that affected the computers at several of its branches.

While its online systems kept working, several in-bank operations were impossible to carry out, according to reports in the local press [1, 2, 3].

Bank says it was hit by a virus

Initially, the bank refused to call it a security incident, but in a subsequent announcement on May 28, Banco de Chile admitted to having been hit by "a virus."

That virus wasn't just any malware, though. According to images posted online by bank employees, the malware crashed infected PCs, leaving them in a non-bootable state, suggesting it was affecting hard drives' Master Boot Records (MBRs) a-la NotPetya.

According to a screenshot of private IM conversations posted on a Chilean forum, the alleged "virus" crashed over 9,000 computers and over 500 servers.

According to a security alert sent out by another IT company in the aftermath of the Banco de Chile hack, the virus was identified under various names, including KillMBR, a term previously used by Trend Micro experts for the KillDisk disk wiper and fake ransomware.

The KillDisk malware is a well-known threat that has been used in the past in hacks targeting banks and financial institutions. It's main functionality is to wipe disk —hence destroying forensics data— and then pose as a ransomware infection by showing a ransom note on the user's screen.

A Trend Micro report from January 2018 noted that the hacking group behind this threat had recently shifted their focus from Eastern European targets to Latin America.

KillDisk most likely behind Banco de Chile incident

Coincidentally or not, yesterday, Trend Micro published a new report about a new incident in Latin America where hackers deployed a new version of the KillDisk wiper.

This new KillDisk variant didn't bother showing a ransom note and just wiped computer's MBRs, leaving them in a non-bootable state, similar to the image shared online depicting Banco de Chile computers.

While Trend Micro did not say the incident took place in Chile, nor did it point the finger at Banco de Chile as the place where this new KillDisk variant has been spotted, they did say the incident they detected took place in May, the same month of the Banco de Chile virus-triggered outage.

Attackers connected to another failed SWIFT hack

Furthermore, the Trend Micro team connected this KillDisk variant to a group of hackers known for cyber-heists, which recently tried to steal over $110 million from Bancomext, a Mexican bank.

According to Trend Micro, the same group now tried its hand at another heist with another bank in Latin America.

"Our analysis indicates that the attack was used only as a distraction," Trend Micro said about the recent incident (most likely Banco de Chile). "The end goal was to access the systems connected to the bank’s local SWIFT network."

Until now, neither Banco de Chile, Chilean state officials, nor Chilean local media reported anything about an attempted hack.

Nonetheless, according to a tweet spotted by the Bad Cyber team, a Chilean journalist claimed someone tried to make off with $11 million during the May 24 incident. But the journalist, who cited an inside source, claimed the hack was an inside job in retaliation to recent layoffs, rather than an external threat.

UPDATE: On June 9, a day after this article's publication, Banco de Chile admitted [1, 2] that hackers stole $10 million during the May 24 incident.

Related Articles:

Pentagon Data Breach Exposes up to 30,000 Travel Records

Tesco Bank Fined £16 million by FCA for 2016 Cyber Attack

White-Hats Go Rogue, Attack Financial Institutions