Symantec has identified three pieces of malware used in the limited targeted attacks
Symantec says Swift heist linked to Philippines attack, Sony hack
WASHINGTON, May 27, 2016
Hackers who stole $81 million from Bangladesh's central bank have been linked to an attack on a bank in the Philippines, in addition to the 2014 hack on Sony Pictures, cybersecurity company Symantec Corp said in a blog post on Thursday.
Symantec did not name the Philippines bank or say whether any money was stolen, but said the attacks could be traced back to October last year.
It did not identify the hackers, but the US has blamed the 2014 Sony attack on North Korea. Cybersecurity firm BAE Systems also said this month that the distinctive computer code used to erase the tracks of hackers in the Bangladesh Bank heist was similar to code used to attack Sony.
The Philippines central bank's deputy governor, Nestor Espenilla, told Reuters that no bank in the country had lost money to hackers, although he did not rule out the possibility of cyber attacks.
"We are checking if there are similar attacks on Philippine banks," Espenilla said. "However, no reported losses so far."
He added: "It is one thing to be attacked. It is another to lose money."
Marshall Heilman, vice president for Mandiant, a part of US-based FireEye, said it was not known whether any money was lost in the other attacks he described or whether the hackers had been successfully blocked.
"There is a group operating in Southeast Asia that definitely understands the bank industry and is at more than one location," he said.
Heilman declined to identify the country or countries, or the institutions attacked. He said it was the same group as the one involved in the Bank Bangladesh theft and that the attacks were recent, but declined to be more specific.
Central banks elsewhere in Southeast Asia - Singapore, Indonesia, Brunei, Myanmar, Laos, Cambodia, Vietnam, Thailand and East Timor - have declined comment or denied knowledge of any other breaches.
If the Symantec report is confirmed, the Philippines incident would represent the fourth known cyber attack against a bank involving fraudulent Swift messages since the beginning of 2015. Swift, as the Society for Worldwide Interbank Financial Telecommunication is known, this week urged banks to bolster their security, saying it was aware of multiple attacks.
Banks around the world use secure Swift messages for issuing payment instructions to each other.
Symantec said it had identified three pieces of malware that were used in limited targeted attacks against financial institutions in Southeast Asia.
One of the malicious programs has been previously associated with a hacking group known as Lazarus, which has been linked to the devastating attack on Sony's Hollywood studio in 2014.
"There is a pretty hard connection now to the Sony attacks and the actor behind them" and the Bangladesh heist, Eric Chien, technical director at Symantec, said in an interview.
Chien said that if North Korea was responsible for the hacks on banks via the Swift messaging network it would represent the first known episode of a nation-state stealing money in a cyber attack.
Policymakers, regulators and financial institutions around the world are stepping up scrutiny of the cyber security of the Swift payments system after thieves in February used it to make fraudulent transfers totaling $81 million out of the Bank Bangladesh's account at the Federal Reserve Bank of New York.
Symantec and other researchers have also linked the hack to a failed attempt to use fraudulent Swift messages to steal from a commercial bank in Vietnam.
In addition, Reuters reported last week that Ecuador's Banco del Austro had more than $12 million stolen from a Wells Fargo account due to fraudulent transfers over the Swift network.
Bangladesh police are also reviewing a nearly-forgotten 2013 cyber heist at the nation's largest commercial bank, Sonali Bank, for connections to the central bank heist, a senior law enforcement official told Reuters. The unsolved theft of $250,000 at Sonali Bank also involved fraudulent transfer requests sent over the Swift network.
The emergence of new possible instances of compromise is not entirely surprising as banks conduct more reviews, Swift spokeswoman Natasha de Teran told Reuters.
"Many may turn out to be false positives, and or have nothing to do with Swift messages, but it is key that these reviews take place and banks' environments are secured," she added. - Reuters