North Korean hacking group allegedly targets Turkish financial institutions

ISTANBUL

A suspected North Korean cybercrime group, known as the “Hidden Cobra,” targeted Turkey’s financial industry earlier this month, U.S.-based cyber firm McAfee claimed on March 8 in a report published on its blog, securingtomorrow.mcafee.com.

“We observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial system. Based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT,” the company stated.

The cyber-attack on Turkey’s financial sector reportedly occurred on March 2 and March 3 and it was intended to gain access to specific financial organizations.

“The implant’s first target was a major government-controlled financial organization. It next appeared in another Turkish government organization involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack,” the company said, without naming the financial organizations or institutions allegedly targeted.

It noted that the implant has so far not surfaced in any other sector or country.

Phishing mails

Financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document which contains an embedded Adobe Flash exploit, McAfee stated.

Bankshot implant, which was first reported by the U.S. Department of Homeland Security in December 2017, is designed to persist on a victim’s network for further exploitation.

Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity, according to the report.

McAfee warned that the latest campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

The Turkish authorities have not yet commented on the alleged cyber-attack report.

Not the first cyber-attack on Turkey’s finance industry

In 2015 and 2016, a series of cyberattacks targeted SWIFT, a Belgium-based co-operative owned by its user banks including both central banks and commercial banks.

SWFIT handles trillions of dollars in fund transfers daily, and is considered the backbone of international banking.

During the campaign of cyber-attacks on the SWIFT transfer system, hackers also targeted the Turkish lender Akbank in December 2016.

Akbank said at the time that it faced a liability of up to $4 million from the incident but “no customer information was compromised.”