Cyber Incident Victim: Bancomext
Date:
Apr 2018
Location:
Mexico
Summary
Hackers, suspected to be affiliated with the North Korean Lazarus group, targeted a Mexican financial institution and others by exploiting vulnerabilities in the country's domestic money transfer system (SPEI). The attackers leveraged weak network segmentation, inadequate access controls, and flaws in SPEI's transaction validation to initiate fraudulent transfers from non-existent accounts to pseudonymous accounts under their control. They employed cash mules to withdraw funds before detection, successfully siphoning an estimated $15-20 million. The central bank overseeing SPEI attributed the breach to attackers' deep knowledge of interconnected financial infrastructure rather than a direct compromise of its core systems. Following the incident, Mexican banks implemented stricter cybersecurity controls and transfer policies to mitigate future risks, with improvements focusing on network segmentation and transaction validation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2018, hackers targeted Mexico's financial sector, including Bancomext, in two distinct attacks. The first attempt in January 2018 sought to steal $110 million from Bancomext but failed. A subsequent attack in April 2018 successfully extracted 300-400 million pesos ($15-20 million) from multiple Mexican banks by exploiting systemic vulnerabilities in Mexico's domestic money transfer platform, SPEI, operated by the central bank Banxico. Attackers gained initial access through insecure network architectures, potentially via phishing campaigns or direct internet exposure of internal servers. Compromised employee credentials allowed lateral movement across poorly segmented networks, enabling deep penetration into banks' SPEI connections and transaction servers. Security weaknesses included inadequate protection of transaction data within bank networks and insufficient validation checks in the SPEI application, which may have been further compromised through a supply chain attack. These collective vulnerabilities permitted attackers to establish operational infrastructure over months of preparation.
The April attack involved manipulating SPEI's flawed sender account validation to initiate transfers from fictitious accounts to pseudonymous accounts controlled by hackers. Each fraudulent transaction ranged between tens to hundreds of thousands of pesos, blending with legitimate traffic to avoid immediate detection. A network of cash mules withdrew funds before banks identified discrepancies, requiring hundreds of individuals recruited with payments under 5,000 pesos ($260) per person. Banxico's forensic analysis confirmed the attacks targeted weak interconnections within Mexico's financial ecosystem rather than direct breaches of its central systems, emphasizing attackers' deep knowledge of institutional processes and infrastructure. Following the incident, Banxico implemented stricter fund transfer policies and cybersecurity standards for SPEI-linked institutions. Mexican banks invested heavily in network controls and segmentation, which analysts credited with preventing subsequent attacks. The theft highlighted systemic issues of inadequate information sharing among Mexican financial institutions regarding cybersecurity incidents and vulnerabilities.