Malware Attack on Polish Banks Uses Russian as False Flag, Linked to Lazarus

February 21, 2017

Hackers involved in the attack on Polish banks seem to have faked some of the code lines, making it seem as if they were Russians. The truth is, however, the lines don’t make sense to native speakers and an online translator may have been used.

A recent sophisticated attack campaign targeted financial organizations from many countries, but particularly focused on Poland. The team behind the attack seems to have intentionally inserted Russian words and commands into the malware in an attempt to throw investigators off the track, write researchers from cybersecurity firm BAE Systems.

According to them, multiple commands and strings in the malware may have been translated into Russian using online tools. “In some cases, the inaccurate translations have transformed the meaning of the words entirely. This strongly implies that that authors of this attack are not native Russian speakers and, as such, the use of Russian words appears to be a ‘false flag,'” they said.

The roads lead to Lazarus

Attributing massive attacks is already a difficult thing to do, but inserting Russian words into the code is clearly an effort to throw investigators on a false lead. In reality, it seems that all the clues lead towards Lazarus, a group well-known in the security industry. In the past, they’ve led attacks against government and private organizations from numerous countries, including the United States. Even an attack against Sony Pictures Entertainment from 2014, when sensitive data was leaked and many of the company’s computers were rendered inoperable, is thought to be linked to Lazarus, although no confirmation was given.

Read full story…