Massive Downtime Caused By Bad Guys Killing Bank’s 9,500+ Systems

A cyberattack against Banco De Chile (BDC)—that country’s largest financial institution—bricked a hair-raising 9,000 workstations and 500 servers. However, killing these machines was actually just to a cover trying to hide illegal transactions on the SWIFT network where banks transfer funds internationally. After the dust settled, $10 million was funneled off to accounts in Hong Kong.

BDC’s general manager Eduardo Ebensperger told Chilean media outlet Pulso that the late-May attack allowed the attackers to complete four separate fraudulent transactions before the cyberheist was discovered. The massive downtime caused by this wiper-attack will be an order of magnitude more expensive than the 10 million that was stolen, the bank had to halt almost all operations at its 400 branches throughout the country. It took almost two weeks for the bank to resume normal services.

The bad guys used extremely destructive wiper malware similar to NotPetya trying to cover their tracks. Its main functionality is to wipe the disk —hence destroying forensics data. Trend Micro analysts discovered that the code is a modified strain of the Buhtrap malware component known as Kill_OS, which bricks the box by overwriting the Master Boot Record (MBR). Here is how that looks close-up.

BDC is the latest victim in a string of cyber-attacks targeting Latin American payment transfer systems. For instance, in May, Somewhere between $18 million to $20 million went missing during unauthorized SWIFT money transfers in Mexico’s Bancomext central banking system.

Forensic experts consulted by Bancomext would later tell the bank that hackers had managed to penetrate its Swift connection thanks to 0-day malware that had been activated after an employee clicked on a phishing email attachment. It is expected that the BDC hack was also caused by a similar social engineering attack using email.

“Who Done It”, Russia, North Korea or copycats?

The attribution behind the BDC attack remains uncertain.

The Buhtrap malware and its components, including MBR Killer, were previously used by a Russian-speaking hacker collective in attacks against multiple financial institutions in Russia and the Ukraine, Flashpoint noted.

However, Chilean financial institutions were targeted entities by the Lazarus Group, which was linked to North Korea, during the compromise of the Polish Financial Supervision Authority website in 2017,” Vitali Kremez, director of research, told Threatpost in an interview.

Ofer Israeli, CEO of Illusive Networks, said via email that he too believes the North Korea-linked Lazarus Group, which is thought to have carried out the SWIFT attacks in Bangladesh in 2016, is behind it all.

It’s also possible, researchers said, that it’s an entirely different copycat group making use of Buhtrap’s leaked source code and running a false flag operation.

What To Do About It

Trend Micro at the end of their technical write-up gave some good hints and tips about mitigation and best practices:

  • Identify and address security gaps
  • Secure mission-critical infrastructure
  • Enforce the principle of least privilege
  • Proactively monitor online premises
  • Foster a culture of cyber security: Many threats rely on social engineering to succeed. Awareness of the telltale signs of spam and phishing emails, for instance, significantly helps thwart email-based threats.
  • Create a proactive incident response strategy.

We could not agree more. Start by stepping your users through GDR Group’s Security Awareness Training Program so they stay on their toes with security top of mind.

Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email [email protected] to request a quote for security awareness training for your organization.