On May 24 computers in Banco de Chile offices and branches suddenly rebooted and changed screen colour to black. Local media outlets reported that bank branches cannot operate due to broken workstations. Banco de Chile was quick to acknowledge issues and recommended using online and mobile banking, which operated without interruption. https://twitter.com/bancodechile/status/999674101273853955 The bank did also issue a formal statement to inform its customers that their fund were safe. https://twitter.com/bancodechile/status/999734874981400576
Incident analysis
We decided to look deeper into this incident and quickly identified a blog post on www.seguridadyfirewall.cl which did include a picture of a computer screen in bank's offices.
Looks like something destroyed the MBR and computers cannot boot. After a few days of research we were able to confirm that around 10,000 Windows computers and servers were destroyed by a very simple piece of malware. We were able to identify a post on a Chilean forum, where one of the users published a chatlog with someone claiming insider knowledge, mentioning 9000 PCs and 500 servers destroyed by the attack throughout Chile.
Banco de Chile did confirm it was a virus attack, but did not provide any further explanation of the circumstances of the incident. Trend Micro did publish a nice analysis of the file responsible for the data destruction. Based on the information we were able to gather so far, the malicious file is a really simple tool - it just damages the MBR and reboots the computer. It was allegedly deployed via an antivirus update mechanism.
Money stolen?
Why would anyone just destroy thousands of bank's workstations? While we kept looking for further clues we did find an interesting tweet by a local journalist claiming USD 11 million was stolen from the bank at the same time the wiper destroyed the workstations. https://twitter.com/repohlhammer/status/1000496311169363970 While the journalist claims it could have been an inside job, we also found out that allegedly some artefacts of a well know Lazarus toolset were identified in bank systems. Trend Micro believes that a wiper variant was connected to the foiled heist in Mexico in January. We have no knowledge about the connection between the alleged unauthorised transfers and wiped workstations, but those two incidents could have something in common. The investigation continues and we hope to learn more in the future. Alleged wiper file analysis on VT
Comments