Chasing Lazarus: A hunt for the infamous hackers to prevent large bank robberies
Kaspersky Lab has published the results of its more-than-year-long investigation into the activity of Lazarus - a notorious hacking group allegedly responsible for the theft of 81 million dollars from the Central Bank of Bangladesh in 2016. During the forensic analysis of artefacts left by the group in South-East Asian and European banks, Kaspersky Lab has reached a deep understanding ofwhat malicious tools the group uses and how it operates while attacking financial institutions, casinos, software developers for investment companies and crypto-currency businesses around the world.
This knowledge has helped to interrupt at least twoother operations which had one goal - to steal a large amount of money from financial institutions. In February 2016, a group of hackers (unidentified at that time) attempted to steal $851 million USD, and managed to transfer 81 million USD from the Central Bank of Bangladesh. This is considered to beone of the largest, most successful cyber heists ever.
Further investigation conducted by researchers from different IT security companies including Kasper sky Lab revealed a high chance that the attacks were conducted by Lazarus - a notorious cyber espionage and sabotage group responsible for a series of regular and devastating attacks, and known for attacking manufacturing companies, media and financial institutions in at least 18 countries around the world since 2009. Although several months of silence followed the Bangladesh attack, the Lazarus group was still active. They had been preparing for a new operation to steal money from other banks and, by the time they were ready, they already had their foot in a financial-institution in South East Asia.
After being interrupted by Kaspersky Lab products and the following investigation, they were set back for another few months, and later decided to change their operation by moving to Europe. But here too, their attempts were interrupted by KasperskyLab’s security software detect ions, as well as the quick incident response, forensic analysis, and reverse engineering with support from company’s top researchers.
Lazarus Formula
Based on the results of the forensic analysis of these attacks, Kaspersky Lab researchers were able to reconstruct the modus operandi of the group. Initial compromise: A single system inside a bank is breached either with remotely accessible vulnerable code (i.e. on a webserver) or through a watering hole attack through an exploit planted on a benign website.
Once such a site is visited, the victim’s (bank employee) computer gets malware, which brings additional components. Foothold established: Then the group migrates to other bank hosts and deploys persistent backdoors - the malware allows them to come and go whenever they want. Internal reconnaissance: Subsequently the group spends days and weeks learning the network, and identifying valuable resources. One such resource may be a backup server, where authentication information is stored, a mail server or the whole domain controller with keys to every “door” in the company, as well as servers storing or processing records of financial transactions. Deliver and steal: Finally, they deploy special malware capable of bypassing the internal security features of financial software and issuing rogue transactions on behalf of the bank.
Geography and Attribution
The attacks investigated by Kaspersky Lab researchers lasted for weeks. However, the attackers could operate under the radar for months. For example, during the analysis of the incident in South-East Asia, experts discovered that hackers were able to compromise the bank network no less than sevenmonths prior to the day when the bank’s security team requested incident response.