Cybercrime and Forensic Computing Task 4: Network Forensic

Posted byatiqahkamalPosted inFinal Assessment, Uncategorized

Lazarus Group: Bangladesh Bank and South-East Asian Incident

North Korean hackers target defense industry with custom malware

Incident date:
February and August 2016

The incident:
Lazarus Group attempted to steal $851 million USD and managed to transfer 81 million USD from the Central Bank of Bangladesh. The incident of Bangladesh Bank is also connected to the South-East Asian incident.

Motive:
Computer Related Fraud and Wire Fraud to steal money from Banks and transfer it to hackers account.

The perpetrator:
It is claimed that the North Korea-based Lazarus Group was behind the attack. One of the suspect is Park Jin Hyok who’s the leader of the Lazarus Group.

Tools used:
-TrojanBanker
-TCP Tunnel Tool
-Session Hijacker
-WiperTool

Discussions

Tool to use for the investigation and the reason.

If I were to investigate the Lazarus Group case, I would use Wireshark as a tool to help with my forensic tasks.

Wireshark is a tool that can display data from hundreds of different protocols on all major network types. Data packets can be viewed in real-time or analysed offline. The Wireshark tool can be used for the investigation as it supports dozens of capture/trace file formats. The Wireshark tool can be downloaded online on its website and can run of macOS and Windows.

The Wireshark can capture data packets, view, and analyse packet contents which has three main sections, the packet list pane, the packet details pane, and the packet bytes pane. The packet details present the protocol and protocol field of the selected packet in a collapsible format. The Wireshark also comes with filters to only record packets that meet specified criteria.

Statistic is also featuring inside the Wireshark which include the size, timing information about the capture file and comes with many charts and graphs ranging in topic from the packer conversation breakdowns to load distribution of HTTP request.

Report

THE CASE

In February 2016, a group of hackers which was unidentified at that time attempted to steal $851 million USD and managed to transfer $81 million USD from the Central Bank of Bangladesh. The theft happened when the Bank was closed for the weekend on 4th to 5th February. The Lazarus Group which is the suspect of the Bangladesh bank incident had managed to compromise Bangladesh Bank’s computer network, observe on how the transfers of the money can be done and gain access to the bank’s data.

Although several months of silence followed the Bangladesh attack, the Lazarus group was still active. They had been preparing for the operation to steal money from other banks and by the time they were ready, they have already had their foot in a financial institution in South-East Asian.

In August 2016, an incident happened in a South-East Asian country when a new malicious activity from Trojan-Banker. The malware was linked as a tool used by the attackers in Bangladesh. As the attacked organization was a bank, therefore, it is decided to investigate the case in depth. During the months of cooperation with the bank that followed, it was revealed more and more tools hidden deep inside its infrastructure. It is also discovered that the attackers had learned about the upcoming investigation and wiped all the evidence they could, including tools, configuration files and log records. In their rush to disappear they managed to forget some of the tools and components, which remained in the system.

It is claimed that the North Korea-based Lazarus Group was behind the attack. Using that data, the team was able to analyse the methods used by the hackers and linked the Lazarus Group to several attacks through a pattern of code re-usage.

Full and detail forensic report of the Lazarus Group: Bangladesh Bank and South-East Asian Investigation

lazarusinvestigationbank_part4_cb20178FULL REPORT

Artifacts (Evidence/Resources)

1. Kaspersky, (April 05, 2017), Chasing Lazarus, Retrieved from https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies

2. Kaspersky, (n,d), A hunt for the infamous Lazarus group hackers to prevent cybercrime, Retrieved from https://www.kaspersky.com/cyber-crime-lazarus-swift

3. SecureList, (February 24, 2016), Operation Blockbuster revealed, Retrieved from https://securelist.com/operation-blockbuster-revealed/73914/

4. Scott Orgera, (July 08, 2020), How to Use Wireshark: A complete Tutorial, Retrieved from https://www.lifewire.com/wireshark-tutorial-4143298

Leave a comment

Design a site like this with WordPress.com
Get started