Symantec: Another hacking group is targeting SWIFT users

"Discreet campaign" of malware attacks target banks

Symantec has warned that a second set of cybercriminals may have hacked banks who use SWIFT, after discovering a campaign of "discreet" malware attacks against financial organisations this year.

Organisations operating in sectors such as banking, trading and payroll have fallen victim to attacks using a previously undocumented malware called 'Trojan.Odinaff', according to new research by the cybersecurity firm.

Advertisement - Article continues below

Evidence suggests that users of SWIFT, the international messaging system used by many financial organisations, were targeted by this malware, which would hide fraudulent payment notifications from the user.

Symantec has confirmed to IT Pro that it has "logged 74 infections corresponding to individual computers", but added that some organisations are likely to have multiple infected machines.

A different group made a similar breach in February when $81 million was stolen from a Bangladesh bank. Lazarus, the group believed to have carried out the attack, was also involved in subsequent hacks of banks in Southeast Asia.

The attacks were likely financially motivated, according to Symantec, as 34% of recorded Odinaff hits were against the finance sector.

"Around 60% of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software apps," its report read.

Advertisement
Advertisement - Article continues below

A SWIFT spokeswoman said the company is aware of Odinaff and had shared telltale signs of the threat with its community of users over summer, as well as a "practical example" of the method it employs to breach banks.

Advertisement - Article continues below

Symantec did not name specific companies involved, but said the largest number of attacks by Odinaff were in the US, UK, Hong Kong, Australia, and Ukraine.

"One of the most common methods of attack is through lure documents containing a malicious macro," the report states. "If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer."

Symantec has made links between these latest attacks and the activities of the Carbanak group, which first began operating in 2014 and has reportedly stolen around $1 billion in worldwide hacks. The two groups both favour targets in the finance sector and have used the same IP addresses to connect to servers.

Advertisement

Recommended

Visit/security/hacking/355227/65-country-coronavirus-team-protects-the-technological-infrastructure-of
hacking

Cyber security experts form COVID-19 taskforce to combat ransomware attacks

3 Apr 2020
Visit/security/cyber-security/355210/cyber-criminals-torn-over-how-to-adapt-to-post-coronavirus-threat
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/business-strategy/flexible-working/355186/why-were-lucky-covid-19-has-come-now
flexible working

Why we’re lucky COVID-19 has come now

3 Apr 2020