Banco De Chile (BDC)—that country’s largest financial institution— was victim to a cyber-attack that bricked a shocking 9,000 workstations and 500 servers. After the attackers bricked the devices they began covertly hide illegal transactions on the SWIFT network worth approximately $10million dollars and funneled off to international accounts in Hong Kong.
Eduardo Ebensperger, BDC’s general manager on Sunday, told Chilean media outlet Pulso that the late-May attack allowed the attackers to complete four separate fraudulent transactions before the cyber-heist was discovered. This wiper-attack caused massive downtime caused will result in damaged more than the $10 million that was stolen. The bank had to halt all of its operations at its 400 branches throughout the country and took them two weeks to recover from the damages.
The perpetrators covered their tracks using similar tactics to the malware NotPetya by wiping the disk —hence destroying forensics data. Cyber-security analysts discovered that the code is a modified strain of the Buhtrap malware component known as Kill_OS, which bricks the box by overwriting the Master Boot Record (MBR).
So how did this happen?
So, I bet your asking the question, “How did this happen to a bank?” It turns out, there have been multiple attacks on banks and BDC is the latest of those victims targeting Latin American payment transfer systems. For instance, during May 2018, in Mexico’s Bancomext central banking systems it is estimated between $18 to $20 million went missing during unauthorized SWIFT money transfers.
It was discovered by Forensic experts consulted by Bancomext that the 0-day malware was able to penetrate the bank’s Swift connection by an employee clicking on a phishing email attachment that was social engineered to strategically target the BDC bank, which activated the malware to begin spreading throughout the network to cause unimaginable havoc.
Who is to blame – Russia, North Korea, or copycat hackers?
For right now, it is not known who is behind this devasting attack on the bank, however based on this kind of attack using the Buhtrap malware and its components, including MBR killer it is suspected that they may be Russian based because of similar events that were carried out by a Russian speaking hacker that targeted multiple financial institution in Russia and the Ukraine.
However, Vitali Kremez, director of research, told Threatpost in an interview, “Chilean financial institutions were targeted entities by the Lazarus Group, which was linked to North Korea, during the compromise of the Polish Financial Supervision Authority website in 2017,”
In 2016, similar attacks were carried out on the Bangladesh Swift transactions and it is suspected that the North Korea-linked Lazarus Group was behind it all.
Without any clear proof or evidence, at this stage it could be anyone including an entirely different group making Buhtrap’s leaked source code and running a false flag operation
What can you do about it?
It really is difficult to mitigate this type of 0-day malware events however some tips and best practices could be employed such as:
- Identify and address security gaps
- Secure mission-critical infrastructure
- Enforce the principle of least privilege
- Proactively monitor online premises
- Foster a culture of cyber security: Many threats rely on social engineering to succeed. Being aware and looking for signs of spam and phishing emails, for instance, significantly helps thwart email-based threats.
- Create a proactive incident response strategy.
Employees are the weakest link
Our belief is that no matter what best practices are employed to infrastructure or company policy, your employees will always be the weakest link. Start by stepping your users through a new-school of security awareness training, so they stay on their toes with security top of mind.
Make sure you understand how vulnerable your employee base is and the risk they pose on your environment. As this recent case has demonstrated, it only takes one employee to click on a targeted phishing email to cause severe damage. According U.S Small Business Administration, 90% of business will go out of business in the second year after being struck by a disaster.
Get a Free Baseline Phishing Test
Contact us to run a free baseline phishing test – this test will help you understand if or how much of a risk your staff pose to your business. Call 1300 326 748 to get a baseline phishing test or visit our website for more information: https://paisleyaustralia.com.au/enterprise-cyber-security-awareness-training/