Alert no. ND239-20

• September 23, 2020

From September 21, 2020, DDoS attacks on financial institutions in the region were detected on the territory of Slovenia, BiH and Serbia. The attacks recorded in Serbia were 240 Gbps. Telco operators providing services to financial institutions also received a warning and threat from the hacker group responsible for the attack.

The attack is still ongoing.

Behind the attack is a hacker group known as the Lazarus group, The BeagleBoyz, Advanced Persistent Threat 38 (APT38), Bluenoroff, or Stardust Chollima, which since February 2020 has resumed targeting banks in several countries to initiate fraudulent international money transfers and cash withdrawals at ATMs.

Insight into the work of this group, which carries out its activities in order to obtain financial profit, there is a reasonable suspicion that the main goal of the attack is not the collapse of financial institutions but the intrusion into the core infrastructure to intercept and manipulate payment messages (ISO 8583 format), manipulation of SWIFT transactions, payments at ATMs and processes involving cryptocurrencies. The hacker group itself has developed its own "malware framework", with the primary goals of distributing "malware", "ransomware" and data exfiltration, but the goals change depending on the target of the attack.