Ecuadorian bank, Banco del Austro (BDA), was breached in January 2015 and had almost $12 million stolen by attackers who were able to gain access to the SWIFT messaging system. By using advanced malware, the hackers were able to steal credentials of the bank’s employees and cover their tracks, making their fraudulent transactions seem legitimate. This attack is not the first of its type, as we are sure many people remember the recent heist of $81 million from Bangladesh’s central bank via the SWIFT system.
The Ecuadorian heist has remained a secret until now, even to the SWIFT team, since BDA recently filed a public lawsuit in a New York federal court against Wells Fargo bank for not spotting the fraudulent transactions. BDA is demanding that Wells Fargo return the full amount that was stolen, but Wells Fargo maintains that it “properly processed the wire instructions received via authenticated SWIFT messages.”
References: Ecuador Bank Hacker - $12 Million Stolen in 3rd Attack on SWIFT System | Third time unlucky for Swift as Ecuador bank hacked | Ecuador bank named as third potential victim of Bangladesh-style hackers
Researchers at Palo Alto Networks have uncovered a new malware family, which they have dubbed ‘TidePool’ that can read and write files on infected computers, run commands, and encode and exfiltrate data to a C&C server. It has currently targeted over 30 Indian embassies across the globe, attempting to trick employees into downloading the RAT (Remote Access Trojan) via spear-phishing emails. This activity alerted Palo Alto’s Unit42 research team to the similarities between ‘TidePool’ and the Ke3chang hacker group.
Ke3chang was first discovered in September 2013, when they targeted five European Ministries of Foreign Affairs just before the G20 Summit with spear-phishing campaigns related to the Syrian conflict. ‘TidePool’ has a lot of similarities to the BS2005 malware tied to the activities of the Ke3chang group, which was thought to no longer be active, but clearly has been working for the past two and a half years to develop new malicious code.
*IP addresses provided by Recorded Future.
Want to learn about Alert Logic products in more detail? Call us direct at +1.877.484.8383, for the UK call +44 (0) 203 011 5533, or complete this form. An Alert Logic representative will contact you soon.