Banco de Chile, one of the country’s biggest banks, was hit by a disk-wiping malware in an attempted SWIFT hack on May 24 . The attack crashed over 500 servers and 9,000 computers, rendering several in-bank services inoperable.
The bank confirmed in an official statement that it was hit by a “virus” which led to a massive systems failure, affecting computers at numerous branches. Images reportedly shared by the bank’s employees in a local online forum indicated that the disk-wiping malware KillDisk was used in the attacks.
KillDisk is a master boot record (MBR) malware that comes with extensive data-stealing capabilities. The malware can also completely wipe out hard disks and files of the targeted systems. Earlier variants of the malware also came encoded with ransomware capabilities with one particular variant designed to target Linux users.
Banco de Chile said the malware was not targeted at compromising its users’ accounts. Instead, it was designed to damage the bank’s systems.
“We reiterate that at all times the balances and investments of the clients, including the records and integrity of all their products, have been safeguarded and have not been affected,” the bank stated.
Security researchers at Trend Micro wrote in a blog earlier this week that the operators of KillDisk malware have shifted focus to attacking targets in Latin America. The researchers pointed out that the malware recently targeted an unidentified bank noting that the attack was meant to be a distraction to mask the hackers’ attempt at accessing the bank’s local SWIFT network.
Although Trend Micro’s report did not name Banco de Chile as the institution targeted by the hackers, researchers did mention that the attack took place in May. The Banco de Chile was also attacked inthe same month.
According to a report by Bad Cyber, a Chilean journalist tweeted claiming that the attack saw hackers steal around $11 million. However, neither the bank nor the local authorities have made any official mention about funds stolen from the bank during the incident.
Although the local journalist’s tweet hinted that the attack was the work of an insider and was in retaliation to recent layoffs, BadCyber reported that some features commonly used by the North Korean hacker group Lazarus were also identified as having been used in the attack.