Lazarus Group

Evidence suggests the infamous Lazarus Group, a hacking crew believed to be operating out of North Korea, is behind the recent hack on the Far Eastern International Bank (FEIB) in Taiwan.

The hack took place at the start of the month when FEIB officials discovered fraudulent attempts to wire as much as $60 million to foreign banks located in Sri Lanka, Cambodia, and the United States.

Later in the week, Sri Lankan officials announced the arrested of an individual who withdrew $195,000 and later attempted to cash in another $52,000 from money that arrived from Taiwan into three local accounts at the Bank of Ceylon. A second individual was arrested a day later.

The incident caught the eye of international media because it was the latest in a string of bank heists that relied on crooks using malware to take over a bank's SWIFT account and use the SWIFT inter-banking transactions system to move money to new places.

Hack most likely carried out by Lazarus Group

Bank heists using SWIFT accounts have been taking place for more than a year and a half and have affected banks in Bangladesh, Uruguay, Vietnam, Poland, Ukraine, the Philippines, Mexico, and more.

Some of these attacks have been linked to the techniques, tactics, and procedures (TTPs) used by the Lazarus Group. Malware used in some bank heists were linked to previous cyberespionage operations like Operation Blockbuster.

A report released today by BAE Systems links malware used in the FEIB heist to past SWIFT attacks, more precisely in the Poland and Mexico hacks.

In total, researchers identified nine different malware samples used in the FEIB hack. Three of these contained links and similarities to past Lazarus Group malware, while four were Hermes ransomware samples.

How the hack happened

Merging information from BAE's report published today and a report from last week by McAfee, attackers appear to have used spear-phishing campaigns to compromise computers inside FEIB's network.

These emails delivered boobytrapped Office docs that installed malware on bank employee's computers. Attackers moved laterally inside the bank's network using SMB.

After they mapped the bank's network and identified computers that had access to sensitive systems, they deployed custom-built malware on October 1.

Two days later, on October 3, Lazarus used an employee's credentials to access the bank's SWIFT account and send money to different banks in Sri Lanka, Cambodia, and the US. Experts say the transactions were labeled with the MT103 and MT202COV transaction codes, but the MT202COV codes were used incorrectly which allowed the bank to detect the breach.

Timeline of FEIB hack

Attackers deployed ransomware after breach was discovered

Once FEIB detected the fraudulent transactions, Lazarus operators deployed the Hermes ransomware on the bank's network to delay investigations and encrypt and destroy evidence of their intrusion.

The ransomware they used was identified as Hermes, a ransomware strain discovered this past February, which was later updated to version 2.0.

Hermes was a mundane ransomware strain, but which got some press coverage when Emsisoft researcher Fabian Wosar decided to reverse it in a live stream on YouTube. A decrypter was later published and is available for download from here or here. Hermes v2 appeared soon after as a response and is currently not decryptable.

In the FEIB heist, researchers noted that the ransomware deployment was dodgy. The ransomware they used didn't appear to be an original Hermes ransomware strain, but a modified version.

The Hermes strain used on FEIB's network did not change the infected computer's wallpaper and didn't leave a flashy ransom note behind, like the original Hermes note, portrayed below.

Standard Hermes ransom note

Instead, the Hermes version used in the FEIB attacks only showed a popup with the text "finish work" and left a file named "UNIQUE_ID_DO_NOT_REMOVE" in every directory.

Hermes ransomware in FEIB hack

Overall, the bank heist fits perfectly in Lazarus Group's classical mode of operation, and follow the same pattern of past SWIFT-based attacks. The good thing is that banks are getting better and spotting illegal transactions and reversing the transactions.

Image credits: BAE Systems, McAfee