Cybersecurity researchers at BAE System believe that a hacking crew operating out of North Korea were behind a recent malware and money-moving attack on Far Eastern International Bank in Taiwan.
In a case reminiscent of the infamous Bangladesh Bank heist, the culprits had compromised the Far Eastern terminal connected to the international Swift network and sent a series of doctored messages to transfer funds into accounts at multiple overseas banks.
BAE systems says that since the attack, various samples have been uploaded to malware repositories which appear to originate from the intrusion. These include group tools bearing the fingerprints of the North Korean-based Lazarus hacking group, as well as a rare ransomware variant called ‘Hermes’ which may have been used as a distraction or cover-up for the security team whilst the heist was occurring.
Having mapped out the bank's network and identified the interface to Swift, the attackers appear to have created MT103 messages to transfer funds to Cambodia, the US, and Sri Lanka coupled with MT202COV messages to order the movement of funds to the beneficiary institution via another bank intermediary.
Although media reports initially suggested $60 million was looted by the attackers, the reality is a little more prosaic.
"The content of these messages was syntactically correct but the values in specific fields were wrong. As a result, they were received by the intermediary bank but had no further influence on the funds transferred to the beneficiary accounts," says BAE Systems. "Reports of $60M being stolen appear to be due to confusion over these latter messages, and the amounts actually stolen were considerably lower. Most of these appear to have been recovered."