Polish banks are scrambling to find and repair infections in what could be one of the largest and most serious information breaches in the industry’s history.

A number of the 20 major commercial banks in the country have been confirmed as victims, while others are scanning for signs of malware infection in their systems, according to the Polish Financial Supervision Authority (KNF). Embarrassingly for the KNF, its own website has been pointed to as the source for the attacks.

A slight modification to the website’s code loaded an external file onto the page that could execute malicious payloads on selected targets. The URL, before being scrubbed, looked like this:

http://www.knf.gov.pl/DefaultDesign/Layouts/KNF2013/resources/accordian-src.js?ver=11

Following infection, the malware downloaded itself into banks’ networks and connected to foreign servers, enabling surveillance and data exfiltration. The malware used in the attack has not been documented before. According to BadCyber: “It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available [security] solutions.”

It is believed the virus was at work for multiple weeks before discovery, and that the malware which included “foreign scripts” was able to avoid being detected by all of the banks’ security platforms. The case is already being highlighted as an example for the “you’re already infected” school of cybersecurity protection.

No motivation has been put forward, though victims were able to identify large amounts of data being transferred from their systems and simultaneously being encrypted, making it difficult to see what had actually been stolen. Rumours are already appearing that the manner of the attack was too sophisticated to be a group of hackers – foreign intelligence is being implicated.

Przemysław Barbrich, of the Polish Bank Association, says that customer money is completely safe, and that only data was stolen.

[do_widget id=text-34]

Avatar
by Alex Hamilton
Alex is Senior Reporter at IBS Intelligence, follow him on Twitter or contact him at: alexanderh@ibsintelligence.com
imp-loader
preloader