On we observed connections to the site referred from: “The eye-watchin domain appears to have been used in watering-hole attacks on other financial sector websites.
#LAZARUS GROUP CODE#
In June 2016, the analysis of SWIFT attacks revealed five additional pieces of malware containing portions of code shared by Lazarus Group.Īccording to the analysis published by BAE Systems, one of the domains used in the Poland attack was also involved in a watering hole attack targeting the National Banking and Stock Commission of Mexico (), the Mexican organization that is equivalent of Poland KNF. The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.” continues Symantec.”Įxperts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. Kaspersky Lab, alongside with a number of security firms including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group. These IP addresses belong to 104 different organizations located in 31 different countries. “The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators. Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec. “Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. The attackers exploited “ watering holes” in order to infect the machines of a specific audience with previously unknown malware. The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis,, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. The activity of the Lazarus Group surged in 20, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.Īccording to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.
The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.Īt the time I was writing there is no evidence that attackers successfully stolen money from Polish banks or their customers, but some of the target organizations confirmed to have noticed large outgoing data transfers.īoth security firms BAE Systems and Symantec started their investigation on the attacks. In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”
The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks. The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.Ī spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.