Banco de Chile victim of a devastating wiper attack, money allegedly stolen

On May 24 computers in Banco de Chile offices and branches suddenly rebooted and changed screen colour to black. Local media outlets reported  that bank branches cannot operate due to broken workstations. Banco de Chile was quick to acknowledge issues and recommended using online and mobile banking, which operated without interruption.

The bank did also issue a formal statement to inform its customers that their fund were safe.

Incident analysis

We decided to look deeper into this incident and quickly identified a blog post on www.seguridadyfirewall.cl which did include a picture of a computer screen in bank’s offices.

Looks like something destroyed the MBR and computers cannot boot. After a few days of research we were able to confirm that around 10,000 Windows computers and servers were destroyed by a very simple piece of malware. We were able to identify a post on a Chilean forum, where one of the users published a chatlog with someone claiming insider knowledge, mentioning 9000 PCs and 500 servers destroyed by the attack throughout Chile.

Banco de Chile did confirm it was a virus attack, but did not provide any further explanation of the circumstances of the incident.

Trend Micro did publish a nice analysis of the file responsible for the data destruction. Based on the information we were able to gather so far, the malicious file is a really simple tool – it just damages the MBR and reboots the computer. It was allegedly deployed via an antivirus update mechanism.

Money stolen?

Why would anyone just destroy thousands of bank’s workstations? While we kept looking for further clues we did find an interesting tweet by a local journalist claiming USD 11 million was stolen from the bank at the same time the wiper destroyed the workstations.

While the journalist claims it could have been an inside job, we also found out that allegedly some artefacts of a well know Lazarus toolset were identified in bank systems. Trend Micro believes that a wiper variant was connected to the foiled heist in Mexico in January. We have no knowledge about the connection between the alleged unauthorised transfers and wiped workstations, but those two incidents could have something in common. The investigation continues and we hope to learn more in the future.

Alleged wiper file analysis on VT

A History of a Hack

Anakata in the Court Room (source: Aftonbladet)

On 20 May 2013, the trial of Gottfrid Svartholm a.k.a. anakata, co-founder of TPB, commenced in Stockholm. Yet, he was not accused of any copyright infringement but of serious hackings. What he was accused of and how the police picked up his trail?

Continue reading “A History of a Hack”

Multiple bank accounts robbed by thieves using an innovative service of a mobile phone operator

In June and July of 2015, the thieves stole several hundred thousand zlotys (at least 100k EUR) from accounts of the bank customers. The affected customers had one thing in common – they had a phone in Play network (a Polish mobile operator) and received a series of text messages with codes to authorize non-commissioned transfers.

Continue reading “Multiple bank accounts robbed by thieves using an innovative service of a mobile phone operator”

Several Polish banks hacked, information stolen by unknown attackers

Polish banks are frantically scanning their workstations and servers while checking logs in the search of signs of infection after some of them noticed unusual network activity and unauthorised files on key machines within their networks. This is – by far – the most serious information security incident we have seen in Poland. Continue reading “Several Polish banks hacked, information stolen by unknown attackers”

Errors, threats and extortion – history of a bank hack part three

This is the epilogue in the Polish bank heist story, where one of the hackers gets caught by the police.

The Polish police never ceases to surprise. Another administrator of ToRepublic forum was detained by the police. This time it was Polsilver, who six months ago stole money from Plus Bank. Continue reading “Errors, threats and extortion – history of a bank hack part three”

Errors, threats and extortion – history of a bank hack part two

In this episode of the Polish bank heist we describe the actions taken by criminals after the bank they hacked refused to pay the ransom they requested.

The ultimatum presented to Plus Bank, robbed by criminals, has elapsed. The burglar, who apparently has not received the ransom, has published data of hundreds of business accounts of Plus Bank customers. Continue reading “Errors, threats and extortion – history of a bank hack part two”

Errors, threats and extortion – history of a bank hack part one

A few months ago a Polish bank fell victim to a serious hacker attack, and that its customers’ money, passwords and personal information were stolen. Within this series, we reconstruct the gradual disclosure of information on this subject.

The evidence we have received shows that a mysterious attacker had full access to the main webserver of a Polish bank for several weeks. That enabled him to make unauthorized transfers and collect personal information of customers, as well as their cards and account history. The attacker claims to have stolen a total of approx. PLN 1 million from multiple accounts, and the bank allegedly was in the dark for several weeks. Continue reading “Errors, threats and extortion – history of a bank hack part one”