SWIFT continues to deny compromise of its systems, but warns of fresh attack on an unnamed bank
SWIFT, the international financial messaging network used by 11,000 financial institutions around the world, has warned of another attack against an unnamed commercial bank.
Attackers launched an attack against the Central Bank of Bangladesh back in February, managing to pocket at least $81 million (£57m) – one of the largest bank robberies in history
Not Our Fault
At the time of the attack, it was reported that the attackers had managed to gain access to the Bangladesh network via cheap and unpatched routers. But in April IT security researchers at military contractor BAE Systems said that the attackers had compromised SWIFT’s software.
Brussels-based SWIFT (Society for Worldwide Interbank Financial Telecommunication) said it was aware of malware targeting its client software and had released a patch. It also warned of other attacks on its network that had resulted in fraudulent messages being sent over its system.
But SWIFT continues to insist that the incidents didn’t involve any compromise of the SWIFT network itself, but rather seem to have been carried out by attackers who obtained valid credentials from financial institutions and used these to impersonate authorised individuals.
The denial comes amid accusations by officials in Bangladesh that its technicians made the bank more vulnerable to hacking before the heist.
“At the end of the day we weren’t breached, it was from our perspective a customer fraud,” SWIFT CEO Gottfried Leibbrandt was quoted by Reuters as saying at a financial conference in Frankfurt. “I don’t think it was the first, I don’t think it will be the last.”
It also issued a more forthright denial in a follow up statement.
“SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police’s Criminal Investigation Department (CID) officials to Reuters,” said SWIFT. “The accusations have no basis in fact.”
“SWIFT was not responsible for any of the issues cited by the officials, or party to the related decision. As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment – starting with basic password protection practices – in much the same way as they are responsible for their other internal security considerations.”
And now SWIFT has confirmed that a second bank is being attacked by malware, similar to the attack on the Bangladesh central bank.
“First and foremost we would like to reassure you again that the SWIFT network, core messaging services and software have not been compromised,” said SWIFT in a statement. “We have however now learnt more about a second instance in which malware was used – again directed at banks’ secondary controls, but which in this instance targets a PDF Reader used by the customer to check its statement messages.”
“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks. In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT.”
It said that the attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both,” it said.
And one expert warned that this attack should act as a wake up call for the banking industry.
“These are not isolated incidents. Serious investigations must follow given the custom built nature of the malware used in these attacks.
“It appears to have been created by someone with an intimate knowledge of how the Swift software works as well as its business processes, which is cause for concern. However, basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.”
“Other banks participating in the Swift network now need to compare the indicators of compromise shared by BAE Systems with the data generated by their own environment to understand whether or not they have also been affected and how to respond effectively,” he said.
Maier’s comments come amid concern regarding threats that banks face in the increasingly online world.
Kaspersky Lab recently revealed that in 2015 hackers turned to hacking banks directly, rather than targeting end users. It said that more than two dozen large Russian banks were targeted by hacking gangs last year, with the loss of millions of pounds.
Earlier this year Daniel Cohen, head of FraudAction at RSA explained how committing online fraud is just too easy nowadays.
Another expert revealed how it took him (hypothetically) just 20 minutes to breach the computer system of a major bank.
How much do you know about hackers and viruses? Take our quiz!