(Bloomberg) – Investigators have linked malware used byRussian and eastern European cyber gangs to a string of bank heiststhat culminated in the record-breaking theft of $81 million fromBangladesh's central bank, according to people familiar with theprobe.

The tools used in some of the attacks on as many as 12 banks, mostly inSoutheast Asia, match those deployed by the so-called Dridex crime gangs, said the people, who askednot to be identified because the investigation is confidential.They operate in Russia and former parts of the Soviet Unionincluding Moldova and Kazakhstan.

North Korean hackers have been implicated in the Bangladeshattack because the malicious software, or malware, used suggested alink between that attack and the breach of Sony Pictures Entertainment Inc.'snetwork in 2014, which U.S. officials blame on thatnation. While the presence of code used in previous attacksmay indicate the involvement of Dridex or North Korea, it couldalso mean that the malware is being sold to other parties on theblack market, one of the people said.

Email infiltration

Finding malware bearing signs of Russian gangs makes attributingthe source of the attacks even more complicated for authorities,who now have evidence pointing to the potential involvement of bothnation states with a history of hacking and criminal organizations that make their livingstealing from businesses.

Criminals exploited weaknesses in banks' cyber-defenses to tryto steal almost $1 billion from Bangladesh's central bank inFebruary and to take $12 million from an Ecuadorean lender inJanuary 2015. An attack late last year on a Vietnamese bank wasfoiled. In all three incidents, the perpetrators got access to thecodes the banks use to connect to the Swift global payments networkand used them to request fund transfers that were directedelsewhere.

Dridex, which is used to identify the malware as well as thegroup that employs it, is spread through emails that infiltratetarget computers and harvest personal information such as usernamesand passwords, which can then be used to gain access to privilegednetworks. First spotted in 2014, Dridex is one of the mostserious online threats facing consumers and businesses, accordingto security firm Symantec Corp.

Working week

The disciplined and highly organized gang behind the malwareoperates in many ways like an ordinary company, following aMonday-to-Friday working week and even taking time off forChristmas, Symantec said in a February report.

In the Bangladesh case, the Federal Reserve Bank of New York wastricked by fake Swift messages into wiring money it held for thecountry to hacker-controlled accounts in the Philippines. Hackersimpersonated bank officials to send the messages, and they deployedmalware targeting a PDF reader used to check statements.

Nathasha de Teran, a spokeswoman for Swift, which is theacronym for the Society for Worldwide Interbank FinancialTelecommunication, declined to comment.

FireEye Inc., the security firm hired by theBangladesh bank, has been contacted by as many as 12 other banksthat are concerned that hackers may have breached their networks ina similar fashion, a person familiar with the approaches said lastmonth. There was no indication that money was taken.

Related: Do you know these 9 hacking terms?

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.