North Korea Link Suspected in Taiwan Bank Cyberheist

A North Korea-linked cybercrime ring suspected of raiding Bangladesh's central bank last year was likely responsible for the recent theft of $60 million from a Taiwanese bank, cybersecurity researchers say.

The ring, called the Lazarus group, has been implicated in an $81 million theft from the central bank of Bangladesh, as well as the disruptive WannaCry ransomware attack earlier this year and the 2014 hack of Sony Pictures Entertainment.

In a blog post Tuesday, cybersecurity researchers at U.K. defense company BAE Systems PLC also implicated Lazarus in the Taiwanese theft, saying that tools used in the attack on the Far Eastern International Bank include those used by Lazarus in the past.

"The attack this month on Taiwanese Far Eastern International Bank has some of the hallmarks of the Lazarus group," BAE researchers wrote.

The suspected ties to Lazarus suggest the group's continued focus on financial cybercrimes. In addition to the Bangladesh Bank theft, the BAE researchers said the group has been targeting bitcoin and is behind attacks on banks in Mexico and Poland.

Security researchers suspect the group has links to North Korea. U.S. authorities have said that one hack also linked to Lazarus--the 2014 Sony Pictures hack--originated in North Korea. The country has denied being behind the attack.

The BAE researchers said they found further evidence of the group's North Korea links, saying they observed infrastructure in North Korea controlling the malware used in a previous Lazarus-linked attack. Representatives at North Korea's Beijing embassy and Hong Kong consulate weren't immediately available for comment.

The post sheds further light on the breach of the Taipei-based Far Eastern International Bank. The breach resulted in the transfer of funds to accounts in Sri Lanka, the U.S. and Cambodia after the perpetrators penetrated the bank's access to the financial-messaging service known as the Society for Worldwide Interbank Financial Telecommunication, or Swift.

Other cyberattacks in the past year have penetrated banks' access to Swift, including the Bangladesh Bank theft.

In a statement, Swift said: "We have no indication that our network and core messaging services have been compromised."

Sri Lankan authorities arrested two people suspected in the theft, Taiwanese state media reported last week, with one of the individuals caught after trying to withdraw the equivalent of about $520,000. A representative from the Far Eastern International Bank didn't immediately respond to a request for comment.

The BAE researchers said they found a number of clues implicating Lazarus in the Taiwanese breach. Among them was the use of accounts in Sri Lanka and Cambodia as destinations for the stolen funds, as well as the use of malware previously used in Lazarus attacks on banks in Poland and Mexico.

While the group has succeeded in penetrating financial institutions, it still has trouble making off with its plunder, the BAE researchers said. They said payments are often quickly reversed after they are uncovered.

"The group may be trying new tricks to disrupt victims and delay their ability to respond," the researchers said, including "different message formats, and the deployment of ransomware across the victim's network as a smokescreen for their other activity."

Security researchers have linked Lazarus to the WannaCry attack, a ransomware assault that began in May and affected more than 200,000 computers in more than 100 countries. The attack exploited Windows systems lacking up-to-date security patches.

In the Bangladesh central-bank breach, the group was suspected of stealing $81 million from the Bangladesh Bank's account at the Federal Reserve Bank of New York last year after initiating fraudulent orders asking for nearly $1 billion.

Write to Dan Strumpf at daniel.strumpf@wsj.com

(END) Dow Jones Newswires

October 17, 2017 09:29 ET (13:29 GMT)