Swift network banking attack linked to Sony hack

In an investigation, the security firm BAE Systems points to several similarities between the internet attack on two banks and the attack on Sony in November 2014. The attacks may have been carried out by the same party.

On Friday, payment organization Swift announced that a second bank next to the central bank of Bangladesh had been the victim of a malware attack, but did not name which bank. The BAE Systems investigation mentions a bank in Vietnam, it is possible that this is the second bank affected. However, this has not been confirmed and Reuters was unable to get a response from the Vietnamese government. Reports also surfaced Friday that the attackers are still present in the network of the central bank of Bangladesh, according to an investigation. It would concern three groups, one of which is a ‘nation-state actor’, Reuters reports.

BAE Systems told the news agency that its investigation is aimed at obtaining technical evidence and not at determining the identity of the attackers. Still, the company points out a number of striking similarities with the Sony hack in its message. For example, the remarkable file-deletion functionality first caught the attention of the researchers. By generating digital signatures of the file, they were able to compare it with items from a large malware database.

This comparison revealed that the file in question, msoutc.exe, had previously been uploaded to the database by a user in the US, on October 24, 2014. This is a month before the hack on Sony became known. The file creates a mutual exclusion, or mutex, to check whether the malware is already present on the system. It also installs itself as a process called ‘Indexing Manager’. In addition, it keeps log files, which are encrypted with a certain key.

The mutex found appeared in combination with the same encryption key in an analysis by PwC in 2015. Both similarities are also described in a warning from the US-CERT in late 2014, in which it describes a tool used in the hack on a ‘large entertainment company’. This most likely refers to the Sony hack. Further details about the tool came to light in February 2016, according to BAE Systems. Also an important similarity between the attacks on the banks and on Sony is that the way to delete files is unusual, in that a file is first moved and renamed before deletion occurs, presumably to make recovery more difficult.

Other similarities between the attack on the banks and that on Sony are spelling mistakes, such as ‘Mozillar’ instead of ‘Mozilla’ in the Sony attack. It does not appear from BAE Systems’ description that the same spelling errors were identified in the different hacks, but that the software used in each hack contained different spelling errors. Another similarity is that in all cases the software appears to be written in the Visual C++ 6.0 environment. BAE Systems itself already indicates that it is also possible that different parties have used the same software, but that this is not obvious, because the code is not publicly available and does not occur in other software.

The hack on Sony was attributed by the US to North Korea. However, that country denied any involvement.