Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries.
There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.
The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering hole attacks. They then injected code into them that redirected visitors to a custom exploit kit. The exploit kit contained exploits for known vulnerabilities in Silverlight and Flash Player and the exploits only activated for visitors who had Internet Protocol addresses from specific ranges. “These IP addresses belong to 104 different organizations located in 31 different countries,” researchers from Symantec said in a blog post Sunday. “The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.”