Researchers have linked malware behind a heist at the Bangladesh Bank earlier this year to malicious software used in the 2014 Sony hack.
In late April, the British defense contractor BAE Systems disclosed its belief that attackers had used “evtdiag.exe”, a malicious program its security researchers originally found in a malware repository, to infiltrate Bangladesh Bank’s computer system back in February.
The malware is designed to make a slight alteration to Access Alliance software in SWIFT, a secure messaging service provider for Bangladesh Bank and 11,000 other financial organizations all over the world.
BAE believes the attackers leveraged evtdiag.exe to modify a database at the Bank and acquire the ability to monitor incoming records of transfer records as well as remove traces of money orders they made.
In total, the attackers attempted to fraudulently transfer one billion dollars out of the bank. All but four orders amounting to $81 million were eventually canceled by other routing banks and the Federal Reserve.
Bangladesh Bank is currently working to recover its lost monies.
In the meantime, researchers at BAE have published a report in which they explain that evtdiag.exe bears “the same unique characteristics” to software used in “Operation Blockbuster,” an attack campaign that dates back to at least 2009 and which includes the 2014 incident where attackers breached the computer systems at Sony Pictures Entertainment.
“What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign,” BAE’s security team said in a report released on Friday, as quoted by Reuters.
The defense contractor arrived at its conclusion based on the fact that the malicious samples used the same names for programming elements and encryption keys.
Adrian Nish, the head of threat intelligence at BAE, stated it was possible multiple programmers used the same code or deliberately made the two programs appear to be the same in an attempt to confuse investigators.
At this time, Nish is still unsure who was behind the Bangladesh Bank heist.
“They have a very unique approach,” he said, as reported by FOX News. “The links come through the code, which bears the hallmarks of a single, consistent coder.”
BAE’s report identifies the group of hackers responsible for the attack as “Group Zero.” They are currently still inside Bangladesh Bank’s networks, as are a “nation-state actor” and another group of attackers known only as “Group Two.”
For its part, SWIFT maintains its software has not been compromised. However, its recent disclosure of a second malware attack against an unnamed commercial bank might place further scrutiny on the messaging network.
The investigation into this incident is ongoing.