Client software used to access the SWIFT financial network was apparently compromised in the unprecedented heist, BAE Systems researchers say
Computer attackers who stole $81 million (£56m) from the central bank of Bangladesh appear to have compromised software used in the international SWIFT funds transfer system, according to IT security researchers at military contractor BAE Systems.
BAE’s findings, detailed in an advisory to be published on Monday, indicate that SWIFT may be more vulnerable to hacking than was previously known.
The researchers also found that the techniques used in the theft could be adapted for attacks on other banks. Reuters published advance details from BAE’s advisory in a Monday report.
BAE found malware it believes was used in the attack on a code repository that collects samples for analysis. The code, named evtdiag.exe, was uploaded from Bangladesh, contained detailed information about the bank’s operations and was compiled close to the date of the theft, BAE said, adding that it hadn’t directly analysed the bank’s servers.
The code, which BAE believes was probably part of a broader attack toolkit installed on the affected servers after the thieves gained administrative access, was designed to make changes to SWIFT client software called Access Alliance that would conceal the hackers’ fraudulent transfers until after the funds had been laundered, BAE said.
The malware was capable of deleting records of outgoing transfer requests from the bank’s database and intercepting incoming messages confirming the transfers ordered by the hackers, according to Adrian Nish, BAE’s head of threat intelligence.
It could also manipulate account balances on logs to conceal the transfers, as well as manipulating a printer that produced hard copies of transfer requests to make sure the fraudulent activity wasn’t spotted on printouts, Nish said.
The attackers probably also stole credentials from the bank’s systems which they then used to order the fraudulent transfers, according to Nish.
He told Reuters that the code showed an unprecedented level of attention to detail for such a heist.
“I can’t think of a case where we have seen a criminal go to the level of effort to customise it for the environment they were operating in,” he said, adding that the tools and techniques used in the attack could be adapted by the gang to strike other targets.
BAE said an IP address in Egypt was used to monitor the use of the SWIFT system by bank staff.
Brussels-based SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, confirmed it was aware of malware targeting its client software and said it would release on Monday a patch for the affected client, along with a security alert for banks and financial institutions.
Minimal security measures
The update is intended to help clients improve their security and spot the kinds of inconsistencies in local database records that the malware was intended to conceal, SWIFT said.
“The malware has no impact on SWIFT’s network or core messaging services,” the organisation stated, adding that it may release additional updates as more information emerges about the Bangladesh Bank heist.
Bangladesh Bank did not immediately respond to a request for comment.
Bangladesh Police’s Criminal Investigation Department told Reuters that it hadn’t found the specific malware described by BAE, but said the forensics probe was ongoing.
Police said last week they had found that the bank’s IT security measures were minimal, lacking precautions such as firewalls and relying on second-hand, £10 switches in its local network.
The attack, which occurred during the weekend of 6 to 7 February, attempted to carry out nearly three dozen SWIFT transfers totalling $951m from Bangladesh Central Bank’s account at the Federal Reserve Bank of New York to recipients in the Philippines and Sri Lanka, investigators said.
Most of those requests were blocked, in part because of a spelling mistake, but $81m was transferred to casinos in the Phillipines, most of which remains missing, according to investigators.
Are you a security pro? Try our quiz!