Who’s Stealing The Money? SWIFT Tightens Security As A Fourth Bank Is Attacked.

A fourth bank in the Philippines has become  a victim of the crew that targeted the SWIFT interbank transfer system.

Bank robbers tend to go where the money is to be found, whether in traditional vaults or, increasingly, in cyber space. And among the digital targets available, few are more alluring than SWIFT(Society for Worldwide Interbank Financial Telecommunications), the cross-border payment messaging system owned and used by 9,000 member institutions around the globe that handles transfers worth more than $6tn every day.

In recent weeks, the financial world has been rocked by news of breaches in this inconspicuous but critical network. Hackers have forced their way into member banks’ systems and covertly gathered their SWIFT passwords and other authenticating protocols.

They have used these to transfer large sums from the victim banks’ foreign accounts via the network to institutions in third countries. There the money has been either withdrawn, or attempts made to make it disappear.

The most startling case involves the Bangladesh Bank, where in February hackers made off with more than $80m from its account at the New York Federal Reserve. SWIFT has logged a number of other incidents — believed to be up to 10 — all involving similar breaches. Intruders used access codes and malware that tampered with the victim bank’s own systems to sweep over their digital traces.

What is particularly concerning is the ease with which hackers were able to get their hands on what is effectively a bank’s own cheque book. They did not after all need to break into SWIFT’s own systems to purloin money. All they did was to take control of one of the terminals giving access to SWIFT’s network. To penetrate the system then, it is just a case of finding its weakest cyber link.

As banking networks ultimately rely upon trust between participants, breaches like this could have a big knock-on effect on financial flows across borders. If confidence in the system is weakened, the network itself may shrink as institutions become warier of dealing with one another online. In the end that spells less choice and more frictional costs for those wanting to move money abroad.

Of course, intrusions into SWIFT are not the only threats facing bank cyber security. The developed world’s largest financial institutions now face “tens of thousands” of attacks every minute, according to one bank chief executive. But given the multiple jurisdictions involved, cross-border transactions can risk slipping through the cracks. For instance, it avails little if only US regulators tell their banks to tighten procedures. It needs all their counterparties round the world to follow suit.

SWIFT has now come up with suggestions for tightening processes. It wants banks to share information about breaches more openly with one another. Timely notification would certainly be sensible: for instance, it could allow some fraudulent transfers to be revoked without loss. It would also allow banks to share technical fixes, thus avoiding successive institutions falling prey to the same scams.

SWIFT also wants to make the network more self-policing, for instance establishing an audit “kite-mark” for anti-hack processes and systems. Those members that failed to measure up could face being “de-friended” by other system users, or charged more to make transfers. That could get around the co-ordination problem of corralling thousands of banks round the globe.

Systems that trade on the security of their systems have no future if they do not deliver. Swift has at least woken up to the challenge facing its business. But this is not just a problem involving cross-border deals. Cyber-crime is increasingly a threat to the whole financial industry. This is one digital challenge that banks cannot duck and it is growing. 

The list of banks victims of the SWIFT hackers is lengthening, a fourth bank in the Philippines has been a victim of the crew that targeted the SWIFT interbank transfer system.

Recently the media announced a third victim of SWIFT hackers, attackers stole $12 Million from the Ecuadorian Bank Banco del Austro SA.

In  February hackers have stolen $81 Million from the Bangladesh central bank and a few days ago, the SWIFT announced that a second commercial bank was a victim of a cyber heist, the crime appears to be part of a broad online attack on global banking.

Security experts speculate the existence of a high-skilled threat actor that is targeting the principal component of their infrastructure, the SWIFT.

When the second cyber heist was confirmed, Natasha de Teran, the SWIFT spokeswoman, revealed the existence with multiple similarities with the Bangladesh bank heist and added that both were very likely part of a “wider and highly adaptive campaign targeting banks.”

“The unusual warning from Swift, a copy of which was reviewed by The New York Times, shows how serious the financial industry regards these attacks to be. Some banking experts say they may be impossible to solve or trace.” the NY Times reported. “Swift said the thieves somehow got their hands on legitimate network credentials, initiated the fraudulent transfers and installed malware on bank computers to disguise their movements.”

According to the experts at Symantec, the SWIFT hackers have conducted multiple cyber-attacks against financial institutions.

The same hacker group was also blamed for the theft of $12m from an Ecuadoran bank, Banco del Austro SA. Related strains of malware featured in attacks against these various banks, suggesting that the same group is behind multiple assaults, as Symantec explains.

The researchers at Symantec discovered that the hacking tools used by the gang share many similarities with the malicious code in the arsenal of the Lazarus APT.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

“Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.” reads the analysis published by Symantec.

“Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.”

The experts at Symantec have spotted at least three strains of malware, Backdoor.Fimlis, Backdoor.Fimlis. B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

“Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis. B, and Backdoor.Contopee.” states Symantec “At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection.”

The malware experts discovered that the Wiper used the SWIFT hackers is similar to the one in the Sony Pictures Hack.

Symantec confirmed the discovery made by the security experts Sergei Shevchenko and Adrian Nish from BAE Systems that have collected evidence of the link between the malware used in the recent cyber-attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.

“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group. Backdoor.Contopee has been previously used by attackers associated with a broad threat group known as Lazarus. Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea.” continues the analysis published by Symantec. “The group was linked to Backdoor.Destover, a highly destructive Trojan that was the subject of an FBI warning after it was used in an attack against Sony Pictures Entertainment. The FBI concluded that the North Korean government was responsible for this attack.”

At this point there are  two possibillities, either North Korea is targeting the global financial sector or there is 'a false flag' operation conducted by someone that is relying on the same code used in the Sony hack.

Security Affairs:           Financial Times:  

« Human Error Fuels Most Breaches
Managing The Rise Of The Killer Robots »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TrustedSec

TrustedSec

TrustedSec is an information security consulting services, providing tailored solutions and services for small, mid, and large businesses.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

Verimatrix

Verimatrix

Verimatrix is a global provider of innovative cybersecurity solutions that protect content, devices, software and applications.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

Mitchell Sandham

Mitchell Sandham

Mitchell Sandham is an, independent insurance and financial services brokerage. Business products include Cyber/Privacy Liability insurance.

CyberForce Program - US Department of Energy

CyberForce Program - US Department of Energy

The Department of Energy’s (DOE) CyberForce Program is a workforce development program that seeks to inspire and develop the next generation of cyber defenders for the energy sector.

Puleng Technologies

Puleng Technologies

Puleng provides customers with a client-centric strategy to manage and secure the two most valuable assets an organisation has - its Data and Users.

Cyberhaven

Cyberhaven

Cyberhaven provides rapid enablement for GDPR and CCPA compliance, streamlined data security and modern risk management.

Computer Network Defence (CND)

Computer Network Defence (CND)

Computer Network Defence (CND) are a Broad-Spectrum Cyber Security Consultancy and Recruitment Agency.

Quantum Security

Quantum Security

Quantum's game-changing approach to cybersecurity brings you performance and peace-of-mind, with a raft of additional benefits: it's non-proprietary, comprehensive, scalable, and affordable.

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange (CQE)

Chicago Quantum Exchange is an intellectual hub and community of researchers with the common goal of advancing academic and industrial efforts in the science and engineering of quantum information.

Unit21

Unit21

Unit21 helps protect businesses against adversaries through a simple API and dashboard for detecting and managing money laundering, fraud, and other sophisticated risks across multiple industries.

GuardDog.ai

GuardDog.ai

guardDog.ai has developed a cloud-based software service with a companion device that work together to simplify network security.

Quzara

Quzara

Quzara provides trusted advisory services and highly adaptive cybersecurity services to federal, commercial and Defense Industrial Base customers to meet their security compliance and cyber needs.

Paramount Defenses

Paramount Defenses

Paramount Defenses have unrivaled capability in two of the most critical areas in cyber security today – Active Directory Security and Privileged Access.