Cybersecurity specialists at BAE Systems and Symantec announced last week new evidence suggesting that the criminals behind the notorious 2014 attack on Sony Corp. are also responsible for recent cyber-attacks involving 104 organizations in 31 countries. Researchers and investigators have long attributed the 2014 Sony attack, which crippled computer systems and revealed internal emails, to the North Korea-linked group known as “Lazarus.” Malware recently discovered running on the computers of a Polish bank suggest that the Lazarus group is now targeting global financial institutions using a sophisticated “watering hole” technique.

The “watering hole” in this instance was the website of the Polish Financial Supervision Authority, which the hackers infected with malware designed to attack specific financial institutions visiting the regulator’s website. Akin to an opportunistic crocodile lying in wait for the perfect-sized gazelle to come too close to the edge of the water, the Lazarus malware was designed to only infect computers linked to pre-designated banks and other organizations located in Poland, the UK, the US, and elsewhere worldwide. By targeting only a small number of IP addresses, the malware was able to remain undetected for several months.

In addition to targeting private financial institutions, the Lazarus watering hole attack also infected websites belonging to Mexico’s National Banking and Securities Commission, a state-run bank in Uruguay, and a small number of internet and telecommunications firms. Although investigators have not attributed any thefts to the malware, Lazarus is thought to have orchestrated a number of high profile cyber-robberies, including the theft of $81 million from the Bank of  Bangladesh’s account at the Federal Reserve Bank of New York.