A major cyberattack targets the Polish banking industry

On 3 February 2017, the Polish news website Zaufana Trzecia Strona reported that Poland’s banking industry had been hit by what is considered its most serious security incident to date: a cyberattack on 20 of the country’s banking institutions, resulting in the loss of large amounts of data.

An attack targeting Polish financial institutions

The unclaimed cyberattack targeted more than 20 Polish financial institutions. Hackers appear to have used the Polish Financial Supervision Authority (KNF) website to spread malware. Malicious JavaScript code was inserted into internal server files, causing visitors’ browsers to download an external file. In turn, this file downloaded the malware from an external server and installed it. The malicious code was inserted into the following file:

Louise blog 1

It looked like this:

Louise blog 2

A spokesperson for the KNF confirmed that its servers had been compromised by “hackers from another country”. The authority’s server network was shut down to prevent the virus from spreading.

This attack, which apparently took place three months earlier and went undetected by the affected banks, allowed hackers to steal large amounts of encrypted data. The hackers do not appear to have been motivated by money.

Implications for the global banking industry

On 12 February, researchers at BAE Systems published an article outlining the similarities between the malware targeting Polish banks and malware used in attacks against other countries last October.

After analysing the malware, methods and tools used, researchers concluded that the same group was probably behind both sets of attacks. Both were watering-hole attacks, where attackers target victims by compromising websites they visit regularly. The hackers focused on specific websites, inserting code that redirected visitors to an exploit kit. This kit contained exploits for known Silverlight and Flash Player vulnerabilities. The exploits were only activated for visitors with specific IP addresses.

Researchers at Symantec determined that these IP addresses belonged to 104 different organisations in 31 countries. Most were banks, with some telecommunications and Internet companies. The list of IP addresses included 19 organisations from Poland, 15 from the US, nine from Mexico, seven from the UK and six from Chile.

The malicious code targeting Polish banks was found on the KNF website. Researchers at BAE Systems found similar code linking to the exploit kit on Mexico’s Comisión Nacional Bancaria y de Valores (the Mexican equivalent of KNF). The same code was also found on the website of Uruguay’s Banco de la República Oriental del Uruguay.

Lazarus, the prime suspect

The software installed by the exploit kit collects data. The software code is similar to that of malware used by the Lazarus group. According to Symantec, the Lazarus hacker group has been active since 2009. Most of its attacks have targeted the United States and South Korea. The group is suspected of being involved in the theft of $80 million from the Bangladesh central bank last year.

Researchers from BAE Systems stressed that there was no firm evidence connecting Lazarus to these recent attacks on the banking system. However, the similar techniques, malware and targets (banking authorities and public banks) point to the group’s involvement. Lazarus has already successfully carried out major attacks on the banking sector. Could the data stolen during these incidents be the sign of more serious attacks to come?

Suggestions