lazarus Malware Attack on Polish Banks Uses Russian as False Flag, Linked to Lazarus

[WALLONN7]

Hackers wanted to lead investigators to believe Russian groups were at fault, but words don't make sense

Hackers involved in the attack on Polish banks seem to have faked some of the code lines, making it seem as if they are Russians. The truth is, however, that the lines don't make sense to native speakers and an online translator may have been used. 

A recent sophisticated attack campaign targeted financial organizations from many countries but particularly focused on Poland. The team behind the attack seems to have intentionally inserted Russian words and commands into the malware in an attempt to throw investigators off, write researchers from cybersecurity firm BAE Systems.

According to them, multiple commands and strings in the malware may have been translated into Russian using online tools. "In some cases, the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that that authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a 'false flag,'" they said.

The roads lead to Lazarus

Attributing massive attacks is already a difficult thing to do, but inserting Russian words into the code is clearly an effort to throw investigators on a false lead. In reality, it seems that all the clues lead towards Lazarus, a group well-known in the security industry. In the past they've lead attacks against government and private organizations from numerous countries, including the United States. Even an attack against Sony Pictures Entertainment from 2014, when sensitive data was leaked, and many of the company's computers were rendered inoperable, is thought to be linked to Lazarus, although no confirmations were given.

Just recently it was revealed that a malware attack was affecting multiple banks in Poland. Malware was discovered on the workstations of several banks. The malicious files were discovered on several servers. It seems that the attack was launched from the compromised website of the Polish Financial Supervision Authority.

 

Source