Security Experts:

Connect with us

Hi, what are you looking for?



Taiwan Bank Heist Linked to North Korean Hackers

A recent cyber-heist that targeted a bank in Taiwan has been linked by security researchers to an infamous threat group believed to be operating out of North Korea.

A recent cyber-heist that targeted a bank in Taiwan has been linked by security researchers to an infamous threat group believed to be operating out of North Korea.

Hackers exploited the SWIFT global financial network to steal roughly $60 million from Taiwan’s Far Eastern International Bank. The money was transferred to several countries, but bank officials claimed they had managed to recover most of it. Two individuals were arrested earlier this month in Sri Lanka for their role in the operation.

Researchers at BAE Systems have identified some of the tools used in the attack and found connections to the North Korean threat actor known as Lazarus. This group is also believed to be behind the 2014 attack on Sony Pictures and campaigns targeting several banks, including Bangladesh’s central bank.

The attack on the Bangladesh bank, which resulted in the theft of $81 million, also involved the SWIFT system. Similar methods were also used to target several other banks, but SWIFT said some of the operations failed due to the new security measures implemented by the company.

While it’s still unclear how attackers gained access to the systems of Far Eastern International Bank, an analysis of various malware samples apparently involved in the attack suggests that the hackers may have used a piece of ransomware as a distraction.

The ransomware involved in the attack is known as Hermes. According to Bleeping Computer, the threat surfaced in February and its latest version has an encryption mechanism that makes it impossible to recover files without paying the ransom.

However, researchers at McAfee discovered that the Hermes variant used in the attack on the Taiwanese bank did not display a ransom note, which led them to believe it may have been only a distraction.

“Was the ransomware used to distract the real purpose of this attack? We strongly believe so,” McAfee researchers said. “Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.”

BAE Systems has seen samples that drop a ransom note in each encrypted folder, but even they believe Hermes may have been used to distract the bank’s security team.

Another malware sample linked by BAE Systems to this attack is a loader named Bitsran, which spreads a malicious payload on the targeted network. This threat contained what appeared to be hardcoded credentials for Far Eastern International’s network, which suggests the threat group may have conducted previous reconnaissance.

Some pieces of malware discovered by BAE Systems are known to have been used by the Lazarus group, including in attacks aimed at financial organizations in Poland and Mexico. The malware includes commands and other messages written in Russia, which experts believe is likely a false flag designed to throw off investigators.

It’s worth noting that the Hermes ransomware samples checked the infected machine’s language settings and stopped running if Russian, Ukrainian or Belarusian was detected. This is common for malware created by Russian and Ukrainian hackers who often avoid targeting their own country’s citizens. However, this could also be a false flag.

Another piece of evidence linking the Taiwan bank attacks to Lazarus is the fact that money was transferred to accounts in Sri Lanka and Cambodia, similar to other operations attributed to the group.

Some experts believe that these bank heists and the WannaCry attack, which has also been linked by some to Lazarus, are campaigns launched by North Korea for financial gain. However, many of these operations don’t appear to have been very successful on this front.

“Despite their continued success in getting onto payment systems in banks, the Lazarus group still struggle getting the cash in the end, with payments being reversed soon after the attacks are uncovered,” BAE Systems researchers explained.

“The group may be trying new tricks to disrupt victims and delay their ability to respond – such as different message formats, and the deployment of ransomware across the victim’s network as a smokescreen for their other activity. It’s likely they’ll continue their heist attempts against banks in the coming months and we expect they will evolve their modus operandi to incorporate new ways of disrupting victims (and possibly the wider community) from responding,” they added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.