HSBC warned of BOV hackers last year

Security report identified BOV heist hackers while testing malicious emails to be sent to bank employees

HSBC Malta was targeted by the hacking group EmpireMonkey months in advance before their successful hacking of Bank of Valletta, a confidential IT security report seen by MaltaToday shows
HSBC Malta was targeted by the hacking group EmpireMonkey months in advance before their successful hacking of Bank of Valletta, a confidential IT security report seen by MaltaToday shows

A confidential IT security report seen by MaltaToday shows that HSBC Malta was targeted by the hacking group EmpireMonkey months in advance before their successful hacking of Bank of Valletta.

The group carried out a €13 million heist from the bank on 13 February, which led BOV to temporarily take its services offline.

But the hackers were already busy targeting HSBC bank in Malta as early as 25 October 2018 – three and a half months before the successful incursion into BOV – a document detailing the communications issued by HSBC, seen by this newspaper, shows.

“Has anyone else observed malware delivered from this domain [Autorité des marchés financiers] since 19 October?... we have observed subsequent delivery attempts on 22 and 24 October,” the consultants said, referring to an attack on the French stock market regulator AMF.

“It remains likely that a small number of other organisations received these malicious emails,” they warned, referring to EmpireMonkey’s use of “phishing” emails designed to look like official authorities with decoy documents, which when clicked on, gives hackers access to the bank’s systems.

“Given we have observed indication of attacks on 16, 19 and 24 October we remain vigilant for further activity,” they said, indicating attacks originated from France, Sweden and Malta. Later they were also uploaded from Slovakia.

The report suggested that cyber-intelligence consultants were aware of a hacking campaign that would target one or more Maltese banks, as reports came in of malicious codes being tested by the hackers. “The macro code appears faulty and incomplete,” the consultants noted. “Downloads the decoy from the fake AMF website.”

Indeed on 5 November, 2018, HSBC were told that EmpireMonkey was active in France and Malta “and spoofing the French stock market regulator AMF” – Autorité des marchés financiers – with the image of a letter with the AMF letterhead.

“It appears as though they have remained active, with recent activity observed on their existing infrastructure... the actor is refining their initial macro code to evade detection.”

Additionally, the security consultants noted collusion between two hacking groups. “And now it becomes interesting... it appears to suggest some association between EmpireMonkey and Cobalt Gang, likely through their shared use of infrastructure and/or code offered by the actor known as badbullzvenom. It is highly likely these two samples are indicative of testing for new delivery techniques or malicious code.”

The report warned that the attack had a “certain level of sophistication”.

Then on 19 January, 2019, a month before the BOV heist, the security consultants identified yet another attack. “At this time we have no further information about a delivery mechanism, or if the upload was from the actor – as has occurred in the past – or from a victim.”

This time, the attackers were using the brand of Société Générale, the French bank, to match the theme used by EmpireMonkey, and had developed encryption certificates for their domain – “which suggests a campaign has more recently occurred or is imminent”, the security consultants said.

“We cannot yet ascertain if this is a campaign that has occurred, is in progress, or is in plan. We therefore recommended that as well as retrospective searches, monitoring or blocks are also implemented for these IoC (indicator of compromise).”

On 25 January, the security consultants received notice from their own sources that a malicious payload had gone live, and finally on 31 January that they had been alerted that a malicious document had been hosted on a domain used by the EmpireMonkey group. “Whilst we have no information about the delivery, it was almost certainly a link in an email and occurred today... it is likely that emails were delivered also using the same domain hosting the malicious document.”

Three days after the BOV heist, the consultants analysed the files uploaded to an open source virus repository from the Bank of Valletta machines, all related to two BOV employees who had been potentially exposed and compromised through the EmpireMonkey malicious documents. “It is worth noting that we reported on EmpireMonkey malicious documents uploaded from Malta back on 24 October, 2018... our team will continue the analysis and provide updates...” the consultants said.

BOV went dark on 13 February after their systems were compromised by the EmpireMonkey group, with branches, ATMs, mobile banking and even e-mail services suspended and its website taken offline.

The cyber-attack saw €13 million transferred out of the bank through false international transactions. The transactions were made to bank accounts in four countries – the US, the UK, Czechia and Hong Kong. The bank immediately advised its correspondent banks to block the transactions and the process was started to reverse the payments.

BOV recovered more than €3 million of the €13 million, the bulk of the rest being frozen in foreign jurisdictions.

Who are they?

The Cobalt Gang

A group of cybercriminals which has executed attacks against banks has regrouped despite the arrest of its alleged leader. The gang may have stolen as much as €1 billion ($1.2 billion) from banks in 40 countries over the last two years. It is known for its meticulous planning when studying ATM systems, card processing systems and the international interbank payment messaging system SWIFT before executing attacks. Spanish police said they had arrested a Ukrainian national who had allegedly laundered much of the money stolen by the Cobalt gang, converting it into 15,000 bitcoins, which at the time were worth $119 million.


A financially-motivated cyberthreat group that has been identified in connection with various other heists, most recently connected to the Fin6 group in a string of point-of-sale attacks against WMWare Horizon thin clients.


Cybercriminal active in known cybercrime and hacking forums, which are platforms to sell sensitive information dumps – a known term for stolen information data that often include credit card and social security numbers. Cybercriminals can also purchase off-the-shelf malware directly from coders in these crime and hacking forums.