other malicious programmes.
“We are reasonably certain” Lazarus was responsible, Symantec researcher Eric Chien said.
Pyongyang denied allegations that it was involved in the hacks, which were made by officials in Washington and Seoul, as well as security firms.
United States Federal Bureau of Investigation representatives could not be reached for comment.
Symantec did not identify targeted organisations and said it did not know if any money had been stolen. Nonetheless, it said the claim was significant because the group used a more sophisticated targeting approach than in previous campaigns.
“This represents a significant escalation of the threat,” said Dan Guido, chief executive of Trail of Bits, which does consultations for banks and the US government.
Lazarus had been blamed for a string of hacks dating back to at least 2009, including last year’s US$81 million (RM359 million) heist from Bangladesh’s central bank, the 2014 hack of Sony Pictures Entertainment that crippled its network for weeks and a long-running campaign against organisations in South Korea.
Guido, who reviewed Symantec’s finding, said it was troubling to see a hacking group focus on attacking banks using increasingly sophisticated techniques.
Symantec, which has one of the world’s largest teams of malware researchers, regularly analyses emerging cyber threats to defend businesses, governments and consumers that use its security products.
The firm analysed the hacking campaign last month when news surfaced that Polish banks had been infected with malware.
At the time, Symantec said it had “weak evidence” to blame Lazarus.
Poland’s biggest bank lobbying group, ZBP, last month said the sector was targeted in a cyberattack, but did not provide further details.
Government authorities declined comment on the incident.
Authorities in Poland could not be reached for comment late on Wednesday.
Symantec said the latest campaign was launched by infecting websites that intended victims were likely to visit, known as a “watering hole” attack.
The malware was programmed to only infect visitors whose IP address showed they were from 104 specific organisations in 31 countries, according to Symantec.
The largest number were in Poland, followed by the US, Mexico, Brazil and Chile. Reuters