HSBC was targeted by hacking group EmpireMonkey as early as 25th October 2018, months before their successful attack on Bank Of Valletta (BOV) on 13th February, making off with €13million in transactions.
A confidential IT security report, seen by MaltaToday, reportedly suggests that cyber-intelligence consultants were made aware of a coordinated hacking attempt targeting one or more Maltese banks.
The hacking group, dubbed EmpireMonkey due to the software used to move around a banking institution’s software after gaining access, infiltrated BOV’s systems in February, managing a €13 million heist and forcing the bank to take all of its systems offline for a number of hours.
EmpireMonkey are believed to have employed a type of hack known as ‘phishing’, where it sent fraudulent e-mails pretending to be the French stock market regulator – Autorité des marchés financiers, by using the regulator’s letterhead.
According to HSBC communications seen by MaltaToday, consultants questioned: “has anyone else observed malware delivered from this domain [Autorité des marchés financiers] since 19 October?…we have observed subsequent delivery attempts on 22 and 24 October.”
The consultants were reportedly referring to an attack on the French stock market regulator AMF.
“It remains likely that a small number of other organisations received these malicious e-mails,” MaltaToday reports as it quotes from the confidential report.
The emails being referred to are EmpireMonkey’s use of ‘phishing’, a tactic where emails are disguised to appear as though they originated from official sources. The victims of phishing emails generally click on a fraudulent link contained within, giving hackers access to their victims’ systems.
Consultants are then quoted as saying: “given we have observed indication of attacks on 16, 19 and 24 October we remain vigilant for further activity.”
The report therefore suggests that cyber-intelligence consultants were made aware of the hacking attempts and that one or more banks in Malta could become targets.
The security consultants had been made aware of hacking activities on 5 November, 19 January and lastly on 25th January, mere weeks before BOV’s attack.
On 25th January, consultants received information from their sources that a “malicious payload had gone live”
Finally, on 31st January, the consultants were alerted about a malicious document being hosted on a domain used by EmpireMonky. They reportedly wrote: “Whilst we have no information about the delivery, it was almost certainly a link in an email and occurred today…it is likely that emails were delivered also using the same domain hosting the malicious document”.
After it transpired how two BOV employees could have potentially been exposed to the malicious documents, the consultants wrote “It is worth noting that we reported on EmpireMonkey malicious documents uploaded from Malta back on 24th October, 2018…our team will continue the analysis and provide updates”.
Following the attack on BOV, all of its services were suspended – including its website. BOV has so far recovered more than €3 million of the €13 million.