Nation-State Moneymule's Hunting Season – APT Attacks Targeting Financial Institutions

Presented at Black Hat Europe 2017, Dec. 6, 2017, 2:15 p.m. (60 minutes).

Lazarus, Bluenoroff, and Andariel are three notorious APT groups from North Korea infamous for deconstruction, cyber heist, and espionage attacks. From DarkSeoul to Sony Picture Entertainment breach, the groups conducted several operations that have received international public attention.

Starting in 2016, we have observed a significant change in the targets and motivation of the groups. While the groups have a long history of conducting cybercrime and cyber espionage attacks, their operations have become more aggressive and more focused on the cybercrime attacks targeting financial institutions. In February 2016, a series of attacks from Lazarus group - which leveraged the SWIFT banking network used to target Bangladesh banks - were revealed. Later in May, the global WannaCry ransomware attack was also linked back to the nation. However, these attacks were just the tip of the iceberg.

In this talk, we will disclose five recent operations conducted by the groups. These operations targeted banks in Europe and South Korea, an ATM company and Bitcoin exchange service provider. One of the operations involved another ransomware attack conducted before the WannaCry operation. We will introduce the malware, vulnerabilities, IOC and TTP discovered in these attacks. In addition, we will show how we revealed the black-market trading and Bitcoin transaction performed by the attackers. In the hope of making the world a safer place, we disclose this information to help financial institutions react to the substantial threat.


Presenters:

  • Kyoung-ju Kwak - Manager, Korea Financial Security Institute
    Kyoung-ju Kwak is a Security Researcher at Computer Emergency Analysis Team, FSI (Financial Security Institute in South Korea). Kyoung-ju currently works on threat analysis and dissects potential threats against the Korea Financial Industry. Kyoung-ju audited National SCADA system and the Ministry of Land with "the Board of Audit and Inspection of Korea" as an Auditor General in 2016 and currently acts as a member of National Police Agency Cyber-crime Advisory Committee. Kyoung-ju is the main author of threat intelligence report "Campaign Rifle: Andariel, the Maiden of Anguish" published by FSI in 2017.
  • Chi-en (Ashley) Shen - Independent Security Researcher,  
    Chi-en (Ashley) Shen is an independent security researcher focusing on APT research, malware analysis and threat intelligence. Her professional experience includes position as senior threat analyst at security firm Team T5 Inc., where she worked on tracking and monitoring emerging cyber espionage attacks. For supporting women in InfoSec, Ashley is the co-founder of "Hacks in Taiwan for GIRLS (HITCON GIRLS)" – the first security community for women in Taiwan. She is also a frequent speaker at information security conferences, including Troopers, Hack In The Box, CODE BLUE, SecTor, FIRST, HITCON, and VXCON.
  • Min-Chang Jang - Assistant Manager, KFSI (Korea Financial Security Institute) and Korea University
    Min-Chang Jang works on threat analysis on the Computer Emergency Analysis Team for the Financial Security Institute. He is a graduate student pursuing a major in cyber warfare at SANE(Security Analysis aNd Evaluation) Lab. (Supervisor: Prof. Seungjoo Kim), Korea University. He served in the Korea Navy CERT for over two years. He is also interested in malware analysis, collecting embedded devices, and hunting bugs and exploiting them.

Links:

Similar Presentations: