North Korean malware linked to Bangladesh bank hack

Forensic specialists investigating the online robbery of the Bank of Bangladesh earlier this year say the hacking tools used in the attack were written by the same authors that developed the malware used to attack Sony Pictures Entertainment in 2014 — blamed by U.S. authorities on North Korea.

Forensic specialists investigating the online robbery of the Bank of Bangladesh earlier this year say the hacking tools used in the attack were written by the same authors that developed the malware used to attack Sony Pictures Entertainment in 2014 — which was pinned by U.S. authorities on North Korea.

If North Korea does turn out to be behind the $81 million Bangladesh cyber heist, it will be only the latest example of the isolated communist state engaging in criminal activity to generate hard currency for its hereditary regime.

“Software developers … leave unique fingerprints behind,” said Colin McKinty, vice president for cybersecurity strategy at BAE Systems Applied Intelligence, whose team found identical functionalities in several sets of malware they analyzed.

The team were “following a chain of evidence … joining a picture together,” he said. The evidence trail led back from the Bangladesh heist — in which hackers compromised the victim’s computer network and sent money transfer orders through the Swift interbank messaging system — through a similar attempted attack against a Vietnamese bank last year, and finally to the malware used in the crippling Sony hack, which dumped gigabytes of confidential and embarrassing data on the web after wiping clean the servers and PCs on the company’s network.


It was that wiper function — and the precise way it was carried out — that led BAE to conclude the the same coder or team of coders was behind the various hacker tools. The tools were also all written in the same outdated programming language and contained near identical character strings.

“We believe that the same coder is central to these attacks,” wrote the BAE researchers in a blog post earlier this year.

The company was hired last month by Swift to help investigate the theft and shore up its customer security.

[Read more: Swift hires cybersecurity firms.]

While it is theoretically possible the authors of the Bangladesh heist malware deliberately re-used code from earlier attacks and compiled it in the 1998-era C++ 6.0 language, it is “very unlikely,” said McKinty. But he added, “We haven’t determined who is behind these attacks.”


“Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone,” wrote the researchers.

These are not meaningless caveats. A “black hat” coder might sell modified versions of their tools to several customers. A gang of hackers-for-hire might rent their skills to Pyongyang and later to cyber thieves seeking to rob Asian banks. North Korea’s elite hackers might even be moonlighting — using their skills and tools for their own personal benefit in their off-duty hours.

“Just because it’s done by state actor, doesn’t mean it’s necessarily a state act,” said one former U.S. intelligence official who follows North Korea.

But they added, “It certainly wouldn’t be the first time [Pyongyang] had gotten involved in criminal activities to get hard currency.”

Just last month, South Korean officials blamed the North for a massive campaign of personal data theft directed against South Korean consumers — and designed to make money for the regime they said.


Pyongyang earns as much as $1 billion a year from criminal activities including forging $100 bills, counterfeiting global cigarette brands and refining, making and selling drugs including heroin and methamphetamine, according to an assessment last week from the Center for Strategic and International Studies.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts