Now Russian hackers are linked to bank cyber heists via Dridex malware

Not just the North Koreans targeting banks' SWIFT terminals, suggests report

As many as 12 banks have contacted security services company FireEye, according to Bloomberg, over fears that the security of their SWIFT payment systems might have been compromised by hackers.

And a new link to Russian cyber-crime gangs has emerged, just weeks after researchers suggested that North Korea's secretive 'Office 39' outfit might be behind the attacks.

The banks have come forward seeking security consulting following publicity over an attack on Bangladesh's central bank. That had seen the attackers get away with $81m in a string of fraudulent transfers out of a total of $951m that they had set up. The attackers had gained remote access to the bank's SWIFT bank transfer terminals following the compromise of an executive's PC via a spear-phishing attack.

In May, security services company Symantec suggested that an analysis of some of the malware used in the attack indicated a North Korea link. That had followed an in-depth analysis by the IT security arm of BAE Systems, which is also investigating the Bangladesh Bank attack, linking the cyber heists with the same group behind 2014's attack on Sony Pictures Entertainment - over the release of a film depicting the assassination of North Korean leader Kim Jong-un.

The latest report from Bloomberg suggests that the Dridex malware suite was used in a number of the attacks. Attacks using Dridex have been linked to a gang or gangs operating in Russia, Moldova and Kazakhstan. "It could also mean that the malware is being sold to other parties on the black market," conjectured Bloomberg.

Dridex was first identified in the wild in 2014. It specialises in stealing bank credentials, propagated via phishing campaigns with an email attachment that, when activated, downloads the malware.

When contacted by Computing, FireEye refused to comment on Bloomberg's claims that 12 banks have contacted it fearing that they, too, may have been targeted by the gang or gangs targeting their SWIFT systems.