A North Korean hacking group known as Lazarus was likely behind a recent cyber campaign targeting organizations in 31 countries, following high-profile attacks on Bangladesh Bank, Sony and South Korea, cyber security firm Symantec Corp said on Wednesday.
Symantec said in a blog that researchers have uncovered four pieces of digital evidence suggesting the Lazarus group was behind the campaign that sought to infect victims with “loader” software used to stage attacks by installing other malicious programs.
“We are reasonably certain” Lazarus was responsible, Symantec researcher Eric Chien said in an interview.
The North Korean government has denied allegations it was involved in the hacks, which were made by officials in Washington and Seoul, as well as security firms.
U.S. Federal Bureau of Investigation representatives could not immediately be reached for comment.
Symantec did not identify targeted organizations and said it did not know if any money had been stolen. Nonetheless, Symantec said the claim was significant because the group used a more sophisticated targeting approach than in previous campaigns.
“This represents a significant escalation of the threat,” said Dan Guido, chief executive of Trail of Bits, which does consulting to banks and the U.S. government.
Lazarus has already been blamed for a string of hacks dating back to at least 2009, including last year’s $81 million heist from Bangladesh’s central bank, the 2014 hack of Sony Pictures Entertainment that crippled its network for weeks and a long-running campaign against organizations in South Korea.
Guido, who reviewed Symantec’s finding, said that it was troubling to see a hacking group focus on attacking banks using increasingly sophisticated techniques.
“This is a dangerous development,” he said.
Symantec, which has one of the world’s largest teams of malware researchers, regularly analyses emerging cyber threats to help can defend businesses, governments and consumers that use its security products.
The firm analysed the hacking campaign last month when news surfaced that Polish banks had been infected with malware. At the time, Symantec said it had “weak evidence” to blame Lazarus.
Reuters has been unable to ascertain what happened in that attack. Poland’s biggest bank lobbying group, ZBP, in February said the sector was targeted in a cyber attack, but did not provide further details. Government authorities declined comment on the incident.
Authorities in Poland could not be reached for comment late on Wednesday.
Symantec said the latest campaign was launched by infecting websites that intended victims were likely to visit, which is known as a “watering hole” attack.
The malware was programmed to only infect visitors whose IP address showed they were from 104 specific organizations in 31 countries, according to Symantec. The largest number were in Poland, followed by the United States, Mexico, Brazil and Chile.