Who’s Stealing The Money? SWIFT Tightens Security As A Fourth Bank Is Attacked.
A fourth bank in the Philippines has become a victim of the crew that targeted the SWIFT interbank transfer system.
Bank robbers tend to go where the money is to be found, whether in traditional vaults or, increasingly, in cyber space. And among the digital targets available, few are more alluring than SWIFT(Society for Worldwide Interbank Financial Telecommunications), the cross-border payment messaging system owned and used by 9,000 member institutions around the globe that handles transfers worth more than $6tn every day.
In recent weeks, the financial world has been rocked by news of breaches in this inconspicuous but critical network. Hackers have forced their way into member banks’ systems and covertly gathered their SWIFT passwords and other authenticating protocols.
They have used these to transfer large sums from the victim banks’ foreign accounts via the network to institutions in third countries. There the money has been either withdrawn, or attempts made to make it disappear.
The most startling case involves the Bangladesh Bank, where in February hackers made off with more than $80m from its account at the New York Federal Reserve. SWIFT has logged a number of other incidents — believed to be up to 10 — all involving similar breaches. Intruders used access codes and malware that tampered with the victim bank’s own systems to sweep over their digital traces.
What is particularly concerning is the ease with which hackers were able to get their hands on what is effectively a bank’s own cheque book. They did not after all need to break into SWIFT’s own systems to purloin money. All they did was to take control of one of the terminals giving access to SWIFT’s network. To penetrate the system then, it is just a case of finding its weakest cyber link.
As banking networks ultimately rely upon trust between participants, breaches like this could have a big knock-on effect on financial flows across borders. If confidence in the system is weakened, the network itself may shrink as institutions become warier of dealing with one another online. In the end that spells less choice and more frictional costs for those wanting to move money abroad.
Of course, intrusions into SWIFT are not the only threats facing bank cyber security. The developed world’s largest financial institutions now face “tens of thousands” of attacks every minute, according to one bank chief executive. But given the multiple jurisdictions involved, cross-border transactions can risk slipping through the cracks. For instance, it avails little if only US regulators tell their banks to tighten procedures. It needs all their counterparties round the world to follow suit.
SWIFT has now come up with suggestions for tightening processes. It wants banks to share information about breaches more openly with one another. Timely notification would certainly be sensible: for instance, it could allow some fraudulent transfers to be revoked without loss. It would also allow banks to share technical fixes, thus avoiding successive institutions falling prey to the same scams.
SWIFT also wants to make the network more self-policing, for instance establishing an audit “kite-mark” for anti-hack processes and systems. Those members that failed to measure up could face being “de-friended” by other system users, or charged more to make transfers. That could get around the co-ordination problem of corralling thousands of banks round the globe.
Systems that trade on the security of their systems have no future if they do not deliver. Swift has at least woken up to the challenge facing its business. But this is not just a problem involving cross-border deals. Cyber-crime is increasingly a threat to the whole financial industry. This is one digital challenge that banks cannot duck and it is growing.
The list of banks victims of the SWIFT hackers is lengthening, a fourth bank in the Philippines has been a victim of the crew that targeted the SWIFT interbank transfer system.
Recently the media announced a third victim of SWIFT hackers, attackers stole $12 Million from the Ecuadorian Bank Banco del Austro SA.
In February hackers have stolen $81 Million from the Bangladesh central bank and a few days ago, the SWIFT announced that a second commercial bank was a victim of a cyber heist, the crime appears to be part of a broad online attack on global banking.
Security experts speculate the existence of a high-skilled threat actor that is targeting the principal component of their infrastructure, the SWIFT.
When the second cyber heist was confirmed, Natasha de Teran, the SWIFT spokeswoman, revealed the existence with multiple similarities with the Bangladesh bank heist and added that both were very likely part of a “wider and highly adaptive campaign targeting banks.”
“The unusual warning from Swift, a copy of which was reviewed by The New York Times, shows how serious the financial industry regards these attacks to be. Some banking experts say they may be impossible to solve or trace.” the NY Times reported. “Swift said the thieves somehow got their hands on legitimate network credentials, initiated the fraudulent transfers and installed malware on bank computers to disguise their movements.”
According to the experts at Symantec, the SWIFT hackers have conducted multiple cyber-attacks against financial institutions.
The same hacker group was also blamed for the theft of $12m from an Ecuadoran bank, Banco del Austro SA. Related strains of malware featured in attacks against these various banks, suggesting that the same group is behind multiple assaults, as Symantec explains.
The researchers at Symantec discovered that the hacking tools used by the gang share many similarities with the malicious code in the arsenal of the Lazarus APT.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
“Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.” reads the analysis published by Symantec.
“Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.”
The experts at Symantec have spotted at least three strains of malware, Backdoor.Fimlis, Backdoor.Fimlis. B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.
“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis. B, and Backdoor.Contopee.” states Symantec “At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”
The malware experts discovered that the Wiper used the SWIFT hackers is similar to the one in the Sony Pictures Hack.
Symantec confirmed the discovery made by the security experts Sergei Shevchenko and Adrian Nish from BAE Systems that have collected evidence of the link between the malware used in the recent cyber-attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.
“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group. Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.” continues the analysis published by Symantec. “The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.”
At this point there are two possibillities, either North Korea is targeting the global financial sector or there is 'a false flag' operation conducted by someone that is relying on the same code used in the Sony hack.
