Bank vault. Photo: Matjaz Slanic/Getty Images

A cluster of attempted digital robberies at West African financial institutions appear to have been imitating the North Korea-linked Lazarus Group's run of heists, according to Symantec.

Why it matters: Lazarus, internationally notorious for the Sony hack and the WannaCry malware, is currently very active stealing funds to support the Kim Jong-un regime. The Symantec finding is fascinating as an example of how attacks trickle down from nations to more common criminals.

The big picture: "It seems like after the high public profile of the North Korea thefts, these hackers took those tactics," said Jon DiMaggio, a senior threat intelligence analyst at Symantec.


  • The Lazarus group has utilized the SWIFT system, which banks use to request money from one another, in several high-profile thefts, but the attacks Symantec documented did not.
  • What they did use were a similar set of tools to what Lazarus used to set up those attacks, as outlined in a 2017 alert.
  • Symantec did not want to publicly specify the exact tools that were used.

Background: This isn't the first time DiMaggio said he had seen hackers influenced by a high-profile Lazarus attack. After the group's most famous heist, the theft of $81 million from the central bank of Bangladesh, a separate criminal group added SWIFT fraud to their toolkit.

Symantec's report outlined four different techniques of attacks currently being used in Africa that may represent more than one criminal group.

  • The first, the one flagged as similar to the SWIFT heists, targeted firms in Ivory Coast and Equatorial Guinea.
  • All four clusters used a mix of easily purchasable malware and "living off the land" techniques — avoiding detection using as much software already on victims' computers during the break-in as possible.
  • The other groups of attacks spanned Ivory Coast, Ghana, the Democratic Republic of the Congo and Cameroon.

Historically, West African financial groups have not been common targets for hackers, according to the Symantec report. DiMaggio believes that a softer regulatory structure may have made African banks a tempting target.

The bottom line: DiMaggio stressed that IT staff globally have to become more accustomed to looking for living-off-the-land attacks that don't appear to create suspicious network traffic. "You have to look at legitimate traffic," he said. "You can't just wait for a warning screen to flash red."

Go deeper

Updated 4 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 12,859,834 — Total deaths: 567,123 — Total recoveries — 7,062,085Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 3,297,501— Total deaths: 135,155 — Total recoveries: 1,006,326 — Total tested: 40,282,176Map.
  3. States: Florida smashes single-day record for new coronavirus cases with over 15,000 — NYC reports zero coronavirus deaths for first time since pandemic hit.
  4. Public health: Ex-FDA chief projects "apex" of South's coronavirus curve in 2-3 weeks — Coronavirus testing czar: Lockdowns in hotspots "should be on the table"
  5. Education: Betsy DeVos says schools that don't reopen shouldn't get federal funds — Pelosi accuses Trump of "messing with the health of our children."

Scoop: How the White House is trying to trap leakers

Illustration: Sarah Grillo/Axios

President Trump's chief of staff, Mark Meadows, has told several White House staffers he's fed specific nuggets of information to suspected leakers to see if they pass them on to reporters — a trap that would confirm his suspicions. "Meadows told me he was doing that," said one former White House official. "I don't know if it ever worked."

Why it matters: This hunt for leakers has put some White House staffers on edge, with multiple officials telling Axios that Meadows has been unusually vocal about his tactics. So far, he's caught only one person, for a minor leak.

11 GOP congressional nominees support QAnon conspiracy

Lauren Boebert posing in her restaurant in Rifle, Colorado, on April 24. Photo: Emily Kask/AFP

At least 11 Republican congressional nominees have publicly supported or defended the QAnon conspiracy theory movement or some of its tenets — and more aligned with the movement may still find a way onto ballots this year.

Why it matters: Their progress shows how a fringe online forum built on unsubstantiated claims and flagged as a threat by the FBI is seeking a foothold in the U.S. political mainstream.