African bank foils North Korean cyber attack
An unnamed African financial institution is believed to have been on North Korea's hit list after Barac, a Londonbased cyber security startup, identified and foiled an attempted cyber heist.
North Korea is reported to have stolen an estimated $2bn for its weapons programmes through cyber attacks targeting banks and cryptocurrency exchanges.
According to a recent report by Finnish security firm F-Secure, North Korea is having a global influence as the only nation state believed to be responsible for acts of direct financial theft because their tactics, techniques and procedures (TTPs) have spread to other threat actors.
The allegation that North Korea is using "widespread and increasingly sophisticated" cyber attacks to raise funds for "weapons of mass destruction" and enhance its nuclear and missile programmes was made in a confidential UN report by a team of independent experts seen by Reuters.
According to the UN report, North Korea is under investigation for "at least 35 reported instances" of attacking financial institutions in 17 countries. The attack on the unnamed African financial institution in May 2019 was thwarted when Barac identified suspicious, recurring patterns in the metadata of a small proportion of the encrypted traffic leaving the bank's network, the security firm said.
The attackers had infiltrated the bank's infrastructure and begun to make a small number of low-value transactions to other banks located in Bulgaria.
Elements of the attack were encrypted in an attempt to evade detection, and the encrypted certificates used were signed in North Korea, the security firm said.
On inspection, the suspicious traffic was found to be destined for the same domain name system (DNS) in Bulgaria, and using the same encryption algorithm. Each session was also open for exactly the same duration and contained unusually high volumes of data.
The suspicious traffic was isolated in a sandbox and decrypted to be identified as command and control (C&C) traffic between malware, which had already compromised the bank's network, and a Bulgarian-based server.
The bank then undertook a full security audit of its infrastructure to discover that malware had infected a number of endpoints at its headquarters, and that a small number of identical, low-value transactions had been made to other banks - again, located in Bulgaria - via the Swift Payments infrastructure.
These small transactions are believed to have been made to test the exfiltration mechanism of the attack ahead of an attempt to extract larger amounts at some future date, the security firm said.