Malicious software used in February’s $81 million heist at Bangladesh Bank is linked to other cyber attacks, including the high-profile 2014 attack on Sony’s Hollywood studio, according to a new report from cyber security firm BAE Systems.
“What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign,” BAE’s cyber-security team said in the report it plans to release on Friday.
Reuters was not able to independently verify the report from BAE, which last month released the first public analysis of malware used in the attack on Bangladesh Bank. BAE, which is not one of the security firms that Bangladesh Bank hired to help with forensics, said it found the malware on its own by combing through repositories that collect samples of malicious files.
Similar malware recently was used to target a Vietnamese commercial bank with fraudulent messages from the SWIFT money transfer system, which also was used in the Bangladesh hack, BAE said. The distinctive computer code used to erase the tracks of hackers in the bank attacks was similar to code used to attack Sony.
Sony Pictures Entertainment’s network was virtually shut down in late 2014 with destructive malware. The attack was followed by online leaks of unreleased movies and emails that caused embarrassment to executives and Hollywood personalities.
BAE did not name the Vietnamese bank, but SWIFT, the
Brussels-based global financial messaging network, disclosed on
Thursday that malware had been discovered targeting a new commercial bank. Neither firm said whether funds had been stolen.
The BAE report, which the firm plans to publish on its website, likely will be closely scrutinized because the White House has blamed North Korea for the Sony attack, a charge Pyongyang has rejected.
BAE’s head of threat intelligence, Adrian Nish, told Reuters that the company had not determined who was behind the attacks.
The report said the malware used against Bangladesh Bank exhibits “the same unique characteristics” as software used in “Operation Blockbuster,” a campaign documented by a coalition of security firms that dates back to at least 2009 and that includes the 2014 Sony breach.
Technical similarities include encryption keys and names of
programming elements known as mutual exclusion objects, BAE said in the report.
“They have a very unique approach,” Nish said. “The links come through the code, which bears the hallmarks of a single, consistent coder.”
BAE said it identified the links between the recent bank hacks and Operation Blockbuster after analyzing tens of millions of malicious file samples.
The report acknowledged that there could be alternate explanations for the similarities.
It is possible that multiple programmers shared the same code, or even that it was painstakingly recreated to confuse investigators, according to BAE.
“Whilst there are possibilities that exist which may lead to
alternative hypotheses, these are unlikely,” the report said.
(Additional reporting by Joseph Menn in San Francisco; Editing by David Greising and Raju Gopalakrishnan)