Cyber attacks pioneered by North Korea now spreading to other threat actors, F-Secure warns

Financial companies are increasingly being targeted by organised crime and state-sponsored actors

Cyber attacks pioneered by groups linked with the North Korean government are now being deployed by other threat actors, security specialists at F-Secure have warned.

"While North Korea is a unique case of a nation-state conducting financially-motivated attacks - many of which have been against the banking sector - the techniques used by the country's hacking units have also been adopted by organized crime groups, adding to their repertoire of ways in which to steal from banks," F-Secure warned in a report released today.

In particular, the report added, non-state attackers have been inspired by North Korea to target banks' SWIFT international payments systems - a technique that could've enabled a North Korean linked group to steal almost $1 billion from Bangladesh Bank back in 2016.

North Korea has been publicly implicated in financially-motivated attacks in over 30 countries within the last three years

That attack - and a number of similar attacks on banks around the world - was linked to North Korea advanced persistent threat (APT) group labelled Lazarus. North Korea has links to organised crime around the world, including drug running and producing counterfeit currency, going back to the 1970s.

"Attackers compromise a bank's SWIFT payment operators, steal their credentials, and subsequently send fraudulent transfer requests via the SWIFT messaging system.

"When confirmation messages of these transactions are sent back to the compromised back, the attacker's malware intercepts and deletes them, thus removing evidence that the transactions occurred. The illicitly transferred funds get withdrawn from the attackers' accounts by money mules, and the cash is then laundered," the report explained.

Attackers compromise a bank's SWIFT payment operators, steal their credentials, and subsequently send fraudulent transfer requests

The report highlights how attackers are increasingly targeting the financial sector with a range of imaginative attacks in a bid to make big financial gains.

Other attacks on the financial sector include ‘payment switch application compromise': "When a customer goes to withdraw funds from an ATM, a request gets sent to the customer's bank.

"The payment switch application handles this request, conducts a number of checks, for example whether the customer has the required funds in their account, and sends a confirmation - or rejection - message.

Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk

"Attackers are compromising these payment switch applications, so that ATM requests made by the attackers' cards are intercepted by the malware. The malware then automatically authorises these requests, regardless of their legitimacy, and the ATM releases unlimited cash for the money mules."

Cyber criminals are also resorting to diversions using ransomware or DDoS attacks to distract from covert activity elsewhere on their victims' networks. Or taking advantage of an IT disaster to conduct attacks or defraud - such as during the TSB IT platform migration disaster last year.

And it's not just banks that are being targeted, but financial institutions large and small, including insurance companies, asset managers and other organisations in the financial sector, or the supply chain of financial organisations.

"North Korea has been publicly implicated in financially-motivated attacks in over 30 countries within the last three years," said George Michael, a senior research analyst at F-Secure.

He continued: "This is symbolic of a wider trend that we've seen in which there is an increasing overlap in the techniques used by state-sponsored groups and cyber criminals."

Michael added that simply throwing money at IT security isn't enough either. "We continue to see companies suffer from unsophisticated breaches despite having spent millions on security.

"Once you understand why various threat actors might target you, then you can more accurately measure your cyber risk, and implement appropriate mitigations."