On May 24 computers in Banco de Chile offices and branches suddenly rebooted and changed screen colour to black. Local media outlets reported that bank branches cannot operate due to broken workstations. Banco de Chile was quick to acknowledge issues and recommended using online and mobile banking, which operated without interruption.
Estimados clientes: Prefiera nuestra página web y app móviles. Estamos trabajando en regularizar algunos servicios no disponibles.
— Banco de Chile (@bancodechile) May 24, 2018
The bank did also issue a formal statement to inform its customers that their fund were safe.
Comunicado oficial pic.twitter.com/mPiHozAbSt
— Banco de Chile (@bancodechile) May 24, 2018
Incident analysis
We decided to look deeper into this incident and quickly identified a blog post on www.seguridadyfirewall.cl which did include a picture of a computer screen in bank’s offices.
Looks like something destroyed the MBR and computers cannot boot. After a few days of research we were able to confirm that around 10,000 Windows computers and servers were destroyed by a very simple piece of malware. We were able to identify a post on a Chilean forum, where one of the users published a chatlog with someone claiming insider knowledge, mentioning 9000 PCs and 500 servers destroyed by the attack throughout Chile.
Banco de Chile did confirm it was a virus attack, but did not provide any further explanation of the circumstances of the incident.
Trend Micro did publish a nice analysis of the file responsible for the data destruction. Based on the information we were able to gather so far, the malicious file is a really simple tool – it just damages the MBR and reboots the computer. It was allegedly deployed via an antivirus update mechanism.
Money stolen?
Why would anyone just destroy thousands of bank’s workstations? While we kept looking for further clues we did find an interesting tweet by a local journalist claiming USD 11 million was stolen from the bank at the same time the wiper destroyed the workstations.
Me acaban de confirmar – fuente que pidió reserva- que el miércoles de esta semana el Banco de Chile Si fue hackeado. De hecho les robaron USD 11 M, y a la fecha todos los PC se fueron a negro. Se presume que fue un trabajo interno en represalia por los despidos.
— Rodrigo Escobar Pohlhammer (@repohlhammer) May 26, 2018
While the journalist claims it could have been an inside job, we also found out that allegedly some artefacts of a well know Lazarus toolset were identified in bank systems. Trend Micro believes that a wiper variant was connected to the foiled heist in Mexico in January. We have no knowledge about the connection between the alleged unauthorised transfers and wiped workstations, but those two incidents could have something in common. The investigation continues and we hope to learn more in the future.
This is a great tip particularly to those fresh to the blogosphere.
Simple but very precise information? Thank you for
sharing this one. A must read post!