Attackers targeting Far Eastern International Bank (FEIB), a commercial firm in Taiwan, moved funds from its accounts to multiple overseas beneficiaries. In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank’s system connected to the SWIFT network and used this to perform the transfers.
In recent days, various malware samples have been uploaded to malware repositories which appear to originate from the intrusion. These include both known Lazarus group tools, as well as a rare ransomware variant called ‘Hermes’ which may have been used as a distraction or cover-up for the security team whilst the heist was occurring.
Little information is available at present about when or how the attackers compromised the bank, but it is likely more details will emerge in the coming weeks. Our new blogpost seeks to summarise what is in the public domain at the moment, as well as analyse the samples uploaded to malware repositories.
Head of Cyber Threat Intelligence, Dr Adrian Nish said:
“The significance of our findings is that this attack links to the Lazarus group. The same malware was also seen in recent attacks on banks in Poland and Mexico. In this case, it appears they deployed ransomware across the banks network and we suspect this was to provide a distraction or smokescreen whilst they targeted the payments system to illegally transfer money. This case is evidence of the continued threat to the payments industry and underscores the importance of the increased security measures SWIFT are driving forward.“