Russian threat intelligence firm Group-IB alleges that North Korea is behind recent attacks against financial institutions in Europe employing fraudulent SWIFT messages. But other experts caution that such conclusions shouldn't be made solely based on technical data.
Moscow-based Group-IB, which advises financial institutions on cybercrime activity, says it investigated attacks executed early this year by the Lazarus hacking group, which is suspected of having links to the Pyongyang-based regime in North Korea.
Group-IB says it "collected a broad range of data, both technical and strategic, which places clear attribution on North Korea," according to a 53-page report, released Tuesday. The same day, Group-IB described details of many of its findings in a blog post.
The computer security company Symantec has done extensive research into the Lazarus group, although it is cautious about attributing attacks to nations or individuals. Vikram Thakur, a technical director at Symantec who reviewed Group-IB's findings, says IP addresses - referenced by Group-IB in its assessment - serve as "very weak" signals for attribution.
"That being said, the amount of research that Group-IB seems to have done seems extremely extensive, to the point where they've got to be really close to the final level to where the attacker is really running the operation from," Thakur says.
Security companies and law enforcement officials say Lazarus was behind attacks that employ fraudulent money-moving messages sent via the international messaging system maintained by SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication. The most brazen such SWIFT incident led to $81 million being stolen in February 2016 from the central bank of Bangladesh's account at the New York Federal Reserve (see Report: DOJ Sees Bangladesh Heist Tie to North Korea).
FBI Ties Lazarus to North Korea
Lazarus has been connected to North Korea before, perhaps most significantly by former FBI Director James Comey. The U.S. quickly attributed the attacks against Sony Pictures Entertainment to North Korea in December 2014, a conclusion that was met with skepticism because of a lack of technical detail (see FBI Attributes Sony Hack to North Korea).
Speaking at a cybersecurity conference at Fordham Law School in January 2015, Comey said the FBI saw North Korean IP addresses tied to the attack, likely exposed after the attackers either neglected to use a proxy server or had a technical problem.
Earlier this year, Kaspersky Lab said it noticed a North Korean IP address in server logs while investigating the same attack wave studied by Group-IB. Kaspersky Lab stopped short of attributing the attacks to North Korea, instead saying the IP address it found is "a key part" of the Lazarus investigation.
Group-IB's report contains many findings that were also observed by Kaspersky, says Noushin Shabab, a senior security researcher with Kaspersky Lab based in Australia. "We found solid indications that these activities are from the Lazarus group, which is linked to North Korea," says Shabab, who reviewed Group-IB's findings.
Lazarus is allegedly controlled by Bureau 121, a division of the Reconnaissance General Bureau - a North Korean intelligence agency. "Bureau 121 is responsible for conducting military cyber campaigns," according to Group-IB.
Watering Holes, Suspicious IPs
Group-IB analyzed the infrastructure used by Lazarus in its SWIFT-related attacks against European banks earlier this year. The hacking group gained access to banks' systems through watering-hole attacks, which involved seeding malware on websites likely to be visited by bank employees.
Watering-hole attacks were planted on the websites of the Polish Financial Supervision Authority, Mexico's National Banking and Securities Commission, and one state-owned bank in Uruguay. If someone visits a tampered-with web page, their computer could be automatically and silently infected with malware.
Lazarus doesn't use zero-day vulnerabilities, Group-IB says in its report. Instead, the watering hole attacks targeted known vulnerabilities in applications such as JBoss application server and portal software called Liferay. The group's attacks also leverage known exploits for the Silverlight and Flash multimedia programs.
Once inside an organization, Lazarus sets up a three-layer communication relay that's encrypted over SSL and leads back to the attackers, Group-IB says. The communication is designed to avoid detection by security software. Group-IB says it built a special tool to monitor the communications.
At the end of these layered chains, Group-IB says it found two IP addresses. One is 184.108.40.206. That belongs to Star Joint Venture Company, which is North Korea's sole block of assigned IP addresses (see Kaspersky Links North Korean IP Address to Lazarus).
The other IP address, 220.127.116.11, appears to belong to China Netcom. But Group-IB writes that "some sources indicate that the set of IPs 18.104.22.168/24 is assigned to North Korea."
No Smoking Gun
IP addresses identify a machine on a network. But they don't identify who is using that machine, or who may have gained unauthorized access to it, using it to hide their own tracks.
The reason why seeing a North Korean IP address is so compelling is that the country has a very tiny IP space: just 1,024 addresses run by Star Joint Venture. Internet access in North Korea is tightly controlled, and few people have access to it.
Still, nothing is impervious to cyberattacks. Given North Korea's reputation as a pariah state, it would be convenient to stage a so-called false-flag attack to deflect blame for bank attacks onto Pyongyang.
In fact, Lazarus has already been seen using similar tactics. Group-IB says it found transliterated Russian words inside code used by Lazarus. Some of the words were incorrectly used, leading the company to believe that Lazarus wants security analysts to think the hackers are Russian speakers. Again, that would mark an attempt to deflect blame onto a convenient scapegoat.
Symantec's Thakur says that his company steers away from attribution based on IP addresses. The final leap can usually only be made with some human intelligence, and Symantec is not in that business, he notes.
"It's a level of attribution that we very, very rarely attempt to follow," Thakur says. "We draw the line at the technical findings, and then we leave the rest for agencies which have human intelligence involved or agencies which have a much more vested interest in finding the person behind the attacks."