North Korea linked to cyberattack on Turkey’s financial sector

by Morgan Chalfant - 03/08/18 2:36 PM ET

Experts have unearthed evidence of a new North Korean hacking operation targeting Turkey’s financial sector.

The hacking group Hidden Cobra, also known as the Lazarus Group, has been orchestrating malware attacks against Turkish financial organizations that began earlier this month. They have included the targeting of an unnamed government entity involved in trade and finance, researchers from U.S.-based cybersecurity firm McAfee said Thursday.

{mosads}The attacks used a new variant of malware known as “Bankshot.” No money appears to have been taken in the attacks, but the researchers warned that they could be a precursor of future heists.

“Bankshot is designed to persist on a victim’s network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations,” the researchers wrote in the report released Thursday.

North Korea has been increasingly linked to cyberattacks that could yield financial gains, as international financial sanctions have squeezed Pyongyang’s economy. Experts also see evidence of North Korean government hackers targeting cryptocurrency.

The U.S. Department of Homeland Security (DHS) first issued an alert on the Bankshot malware implant in December, tying it to Hidden Cobra, the name used by the U.S. government to describe malicious cyber activity from the North Korean government.

The activity against Turkish financial organizations is the first instance of new Bankshot variants surfacing in 2018, McAfee said. The malware has previously been tied to efforts to compromise global banking messaging system SWIFT.

The researchers traced the first infection of the new campaign to March 2 and 3, first targeting an unnamed government-controlled financial organization followed by a Turkish government entity involved in trade and finance. The researchers said the malware has not yet surfaced in other countries or sectors beyond finance.

The malware leverages a vulnerability in Adobe Flash that was only publicly identified at the end of January, meaning that the hackers worked quickly to develop malware to exploit the flaw.

“The campaign has a high chance of success against victims who have an unpatched version of Flash,” McAfee wrote.

The hackers attempted to lure their targets with spear-phishing emails containing information on cryptocurrency; the emails contained a malware-laden Microsoft Word document, McAfee said.