Info security body finds no evidence of infection at Swiss banks as a result of “Sharpshooter” campaign

Maria Nikolova

Switzerland’s Reporting and Analysis Centre for Information Assurance is in touch with a number of banks but no evidence of infection has been found.

Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) has earlier today posted its 29th semi-annual report which addresses the most important cyberincidents of the first half of 2019 both in Switzerland and abroad.

MELANI noted the Lazarus attacks targeting Swiss banks. In March 2019, security software company McAfee published a follow-up to its December 2018 report on the Sharpshooter campaign. Last year, the campaign targeted 87 companies from all over the world, but mainly in the US. The companies concerned were from the defence, energy, nuclear and financial sectors.

In its second report, McAfee confirmed their initial suspicion that the Lazarus group was behind the attacks. The group is well known for having attacked systems at various banks and is considered by many experts to be connected to the North Korean regime.

In its first report on the matter, McAfee described attempted attacks against Swiss financial institutions.

Today, MELANI said it is in contact with a number of banks, as mentioned in the preceding semi-annual report.

“Then as now, no evidence of infection has been found at the potential target companies in Switzerland”, says MELANI.

Let’s recall that, in December 2018, security firm McAfee released a report on a newly discovered APT campaign against defence, energy, nuclear, and financial companies. The campaign called “Sharpshooter” began on October 25, 2018 with the sending of infected documents to individuals from 87 organisations around the world, mainly in the USA. According to the report, Swiss companies in the financial sector were also hit by the campaign.

Social engineering was used to get the recipients to open the infected documents. The letter was disguised as a letter of application and contained a link to a document on Dropbox which allegedly contained the application dossier. This method is particularly insidious because HR departments often receive unsolicited applications and usually open such documents.

The infection occurred via a macro contained in the Word document. Such macros are now blocked in many companies, or are activated only after confirmation of a corresponding warning message. If the macro is executed despite all warnings, the malware will smuggle Sharpshooter into the working memory of Word. The malware then installs a modular backdoor called “Rising Sun”. The functions of this component include collecting and sending information about documents, user names, network configuration, and system settings. The malware can also reload other functions.

The malware communicates via a command and control server controlled by the attackers.

In analysing the campaign, McAfee found evidence of connections to the “Lazarus” group: “Rising Sun” contains code and configuration data from the “Duuzer” family. Duuzer was also used in the hacker attack on Sony, which is associated with the Lazarus group.

Read this next

Industry News

SEC Chair Gensler pitches for regulation of crypto exchanges; will Ripple benefit?

In what can be perceived to be a big boost for the crypto community, Gary Gensler, the newly appointed chairman of the Securities and Exchange Commission (SEC) has asked the Congress to look into crypto regulation.

Industry News

Baton Systems integrates with LCH for automation of collateral workflow

Baton Systems, a provider of post-trade solutions for financial markets, has announced its integration with LCH, a leading clearing house, for automating the end-to-end collateral workflow for participants in the derivatives markets.

Industry News

CBOE Expands Its European Team with Hiring of Senior VP

CBOE Europe, a pan-European exchange operator and which is a part of CBOE Group based in the US, has expanded its European team with the hiring of Natan Tiefenbrun as its Senior Vice President, Head of European Equities.

Retail FX

London C-level executive market on fire: Tickmill, you’re up

Mukid Chowdhury is now the face of Trading 212. This, however, has left a newly vacant seat. Now, it’s Tickmill’s turn to fight for a Chief Financial Officer. The C-level executive market in London is on fire at the moment.

Industry News

Sapien Capital: FCA fines £170k for allowing Solo Group’s money laundering

The role of Sapien Capital is that it executed purported OTC equity trades to the value of approximately £2.5 billion in Danish equities and £3.8 billion in Belgian equities.

Industry News

MAS invites all fintechs to apply for green tech accelerator

Fintechs should aim to solve at least one of the three key challenges proposed by MAS: (i) Mobilising Capital; (ii) Monitoring Commitment; and (iii) Measuring Impact.


LSEG tests DCM digitization platform developed with Nivaura

This issuance marks an important milestone in capital markets automation and digitization and demonstrates the potential of such platforms to improve current capital market workflows.

Industry News

Archegos Capital prepares for insolvency proceedings

Archegos Capital, the troubled capital management firm, is preparing for insolvency proceedings as banks that handled its funds are trying to recoup their losses from it.

Inside View

FinanceFeeds announces interview and media opportunities at IFX EXPO

After a tough year for much of the world and the FX industry, Ultimate Fintech has announced the first in-person B2B event of the year – IFX EXPO Dubai.