Typo Bank Attacks Linked With 2014 Sony Pictures Hack

By Jamie Condliffe on at

Security researchers have identified “strong links” between recent SWIFT bank attacks, one of which was foiled by a typo, and the Sony Pictures hacks of 2014.

You probably remember the recent bank of Bangladesh hack, in which criminals made off with £50 million before being caught by a typo. The hackers used malware, called evtdiag.exe, which allowed them to change records on the SWIFT financial messaging system in order to hide what they were up to. Another, similar, attack was announced on Friday.

Analysis by security researchers form BAE Systems, however, suggests that there are large similarities between code used in these recent hacks and those levelled at Sony Picture back in 2014.

The Sony hack was a huge deal: The studio’s secrets were exposed, while past and present employees found themselves to be collateral damage. Ultimately, the studio even canned the screen of an entire film — The Interview — because of demands made by the hackers. The FBI has claimed that North Korea was behind the attack, though it was never proven with absolute certainty.

The analysis of the attacks by researchers Sergei Shevchenko and Adrian Nish reveals that the two hacks used identical techniques to wipe files from targeted computers. The technique fills a file with nonsense characters and renames it before deleting it, making it impossible to recover the original data.

The pair notes that “it is possible that this particular file-delete function exists as shared code, distributed between multiple coders who look to achieve similar results”. But it also adds that the code isn’t publicly available, and that the technique is an unusual one. As a result, the researchers believe that “the same coder is central to these attacks”.

That doesn’t, however, go any way to explaining who the hacker in question is, or how the attacks came about. If the conclusion is correct, though, plenty of people would be very, very keen to find out. [BAE Systems via CSO]