North Korea targeted Turkish financial sector in cyberattacks in early March, McAffee says

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. (REUTERS Photo)
A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. (REUTERS Photo)

A reputed North Korean hacker group targeted Turkey's financial sector in a series of cyberattacks on March 2 and 3, experts from cybersecurity firm McAfee LLC said Thursday.

A blog post from the U.S.-based firm said the cybercrime group Hidden Cobra, also known as the Lazarus Group, seems to be behind malware attacks orchestrated against "a major government-controlled financial organization, a government body involved in finance and trade, and three other large financial institutions in Turkey" at the beginning of the month.

The organizations were targeted via phishing emails which included a malicious Microsoft Word document named Agreement.docx containing an exploit for CVE-2018-4878, a recently-patched Adobe Flash Player flaw that was used in the zero-day campaign against South Korean individuals.

The attack also resembled previous strikes by Hidden Cobra launched against global banking messaging system SWIFT, raising further suspicion of North Korean involvement.

The hackers used a new variant of malware known as "Bankshot" in the attacks, McAfee said.

McAfee's Advanced Threat Research team detected the reemergence of Bankshot, a modified malware which utilizes a recently-revealed vulnerability in Adobe Flash, on Feb 28.

The malware implant, which first appeared last year, was tied to Hidden Cobra by the U.S. government in December.

"Bankshot is designed to persist on a victim's network for further exploitation; thus the Advanced Threat Research team believes this operation is intended to gain access to specific financial organizations," the report said.

McAfee said this was the first time a Bankshot variant was tied directly to finance-related hacking.

No money appears to have been stolen in the attacks but McAfee warned, "The campaign has a high chance of success against victims who have an unpatched version of Flash," and may just be the first in a chain of cyberattacks for a future heist.

The report has also reignited speculation Pyongyang could be unleashing cyberattacks once again. The U.S. has publicly blamed North Korea for launching the so-called WannaCry cyberattack that crippled hospitals, banks and other companies across the globe in 2017. South Korean lawmakers have also said North Koreans were responsible for billions lost in theft from local cryptocurrency exchanges in 2017.

Share on Facebook Share on Twitter