SWORD

North Korean Hackers Target Latin American Banks – Nigeria Could Be Their Next Focus

Overview of the Threat

Cybersecurity experts have warned that North Korean state-sponsored hacking groups, particularly Lazarus Group, are expanding their cyber-attacks beyond Asia and Europe, with a strong focus on financial institutions in Latin America. The latest reports suggest that Nigeria and other African nations could be their next target, given the increasing digitalisation of banking and fintech services across the continent.

Recent Attacks in Latin America

North Korean cybercriminals have been linked to multiple high-profile cyberattacks on banks and financial institutions in Mexico, Chile, Brazil, and Argentina. Their objectives typically include:

• SWIFT network manipulation – Hijacking international banking transactions.
• Malware attacks – Deploying Trojanized banking software to steal funds.
• Spear-phishing campaigns – Targeting bank employees with fake emails to gain access to financial networks.
• Cryptocurrency theft – Exploiting crypto exchanges and wallets to launder money for the North Korean regime.

Why Nigeria is a Potential Target

1. Rapidly Growing Financial Sector

• Nigeria has one of Africa’s largest and fastest-growing fintech industries, with companies like Flutterwave, Paystack, and Opay processing billions of dollars annually.
• The Nigerian banking system is heavily reliant on electronic transactions, mobile banking, and digital payment platforms, making it an attractive target.

2. SWIFT Network Connections

• Many Nigerian banks use SWIFT (Society for Worldwide Interbank Financial Telecommunication), which North Korean hackers have historically exploited.
• Any successful compromise of SWIFT transactions could result in major financial losses and disruption.

3. Growing Cryptocurrency Adoption

• Nigeria is a leading country for crypto adoption in Africa.
• Lazarus Group has previously hacked cryptocurrency exchanges and may attempt to infiltrate Nigerian crypto startups.

4. Cybersecurity Gaps

• Many Nigerian banks and fintech firms still lack advanced threat detection and incident response mechanisms.
• Social engineering vulnerabilities (e.g., phishing, insider threats) remain a concern.

Potential Attack Methods

North Korean hackers may use the following techniques to compromise Nigerian banks and fintech companies:

1. Phishing Attacks – Sending fake emails to bank employees to steal login credentials.
2. Watering Hole Attacks – Infecting frequently visited financial websites with malware.
3. Supply Chain Attacks – Targeting third-party vendors that provide banking software.
4. Ransomware – Encrypting banking systems and demanding payment.
5. Cryptocurrency Laundering – Hacking crypto exchanges and using mixer services to hide transactions.

How Nigerian Banks and Fintech Firms Can Protect Themselves

1. Strengthen Cyber Defences

✅ Implement Multi-Factor Authentication (MFA) for all banking systems.
✅ Deploy Advanced Threat Detection (SIEM, AI-driven monitoring).
✅ Use Endpoint Detection & Response (EDR) to detect malware and suspicious activities.

2. Train Employees on Cyber Threats

✅ Conduct phishing awareness training for all staff.
✅ Enforce strict access controls (least privilege access).
✅ Regularly test and audit cybersecurity defences.

3. Secure Cryptocurrency Transactions

✅ Monitor for abnormal crypto transactions in fintech platforms.
✅ Use cold wallets instead of hot wallets for large funds.
✅ Implement blockchain analytics tools to detect suspicious crypto movements.

4. Strengthen Incident Response

✅ Develop a Cyber Incident Response Plan (CIRP).
✅ Work with Nigeria’s financial regulators (CBN, NIBSS, NCC) for threat intelligence sharing.
✅ Conduct red team exercises to simulate attacks and improve defences.

Conclusion

With North Korean hackers shifting their focus to financial institutions in Latin America, it is highly likely that they will expand to Africa, particularly Nigeria, due to its booming fintech and banking sector. Nigerian banks, fintech firms, and regulatory bodies must take proactive cybersecurity measures to prevent large-scale cyber thefts.

Is your financial institution prepared? Now is the time to harden defences, train staff, and enhance security monitoring to stay ahead of emerging cyber threats.

PRESS 

The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.

The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.

Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa.

Trend Micro now says that a Lazarus backdoor was found on several machines of financial institutions across Latin America. The security firm also reports that the malware was installed on the targeted machines on September 19.

The attack technique resembles a 2017 Lazarus attack that hit targets in Asia. The group used FileTokenBroker.dll in that attack, and the same modularized backdoor appears to have been employed in the recent incident as well.

In their 2018 attacks, the Lazarus group used multiple backdoors, and also employed a complicated technique involving three major components; a loader DLL launched as a service, and encrypted backdoor, and and encrypted configuration file.

Installed as a service, the loader DLL uses different names on different machines, but has the same capabilities on all of them.

Once installed on a target machine, the backdoor can collect files and system information, download files and additional malware; launch/terminate/enumerate processes; update configuration data; delete files; inject code from files to other running process; utilize proxy; open reverse shell; and run in passive mode, where it opens and listens to a port to receive commands through it.

“The Lazarus group is an experienced organization, methodically evolving their tools and experimenting with strategies to get past an organization’s defenses. The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more,” Trend Micro concludes.