Security Experts:

Cyber-attacks Against SWIFT Ongoing, Sophisticated

Cyber-attacks against the SWIFT global banking network have continued throughout the year since the successful theft of $81 million from the Bangladesh central bank in February 2016. A letter seen by Reuters and dated Nov 2 warned member banks, "The threat is very persistent, adaptive and sophisticated -- and it is here to stay." 

Stephen Gilderdale, head of SWIFT's Customer Security Programme, told Reuters, "In all of these cases attackers are suspected of trying to replicate the modus operandi of the Bangladesh attackers." This is to infiltrate SWIFT customer banks and forge letters of transfer to move funds from the larger reserve banks to the attackers' control.

While the method of stealing funds remains the same, attackers have started using new methods of infiltrating the customer banks, possibly indicating new and different attackers. One new approach, highlighted by the letter, involves the use of "software that allows technicians to access computers to provide technical support." How this software is installed, or whether it is a remote access trojan delivered maliciously or a remote administration tool delivered via social engineering, is not disclosed.

It is noticeable, however, that Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, said this week that some Bangladesh central bank officials deliberately exposed its computer systems and enabled the February theft. This appears to be a new development and confirms that cyber attackers will attempt to corrupt and use bank employees.

It also confirms FBI suspicions. The FBI, Interpol and the Bangladesh authorities have all been investigating the theft. In May it was reported that FBI investigators "have found evidence pointing to at least one bank employee acting as an accomplice." According to Alam, arrests are likely soon.

Reuters is reluctant to provide details on the more recent attacks. No banks are named, although Gilderdale says that there have been "a meaningful number of cases." He added, "In 80 percent of the cases that we are aware of and where we have completed investigations, a fraud has not actually ended up taking place." The implication is that there have been a few successful attacks, although neither the banks nor the amounts have been publicly disclosed. 

Reuters notes, "The additional attacks SWIFT disclosed to Reuters do not include others that have already come to light since the Bangladesh Bank heist." It then names attacks against Bangladesh's Sonali bank in 2013; Ecuador's Banco del Austro in 2015; the failed attack against Vietnam's Tien Phong Bank; and the $81 million dollar theft from the Bangladesh central bank.

There have, however, been reports of other possibly linked thefts. In June, the English language Ukrainian news site Kyiv Post announced that cyber-attackers had stolen $10 million from an unnamed Ukrainian bank. "The Kyiv branch of ISACA, the Information Systems Audit and Control Association, reported this week that the theft had occurred via the SWIFT international banking system, the organization responsible for managing money transfers between financial institutions worldwide."

Kyiv Post also said, "'At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,' ISACA said in a release." It should be noted, however, that this report has not been independently verified in western media; so it may or may not be related to the continuing attacks mentioned by SWIFT.

Throughout this year, SWIFT has been tightening its security procedures. The basic problem, however, remains the same. The organization links more than 11,000 institutions in more than 200 countries. It is a cooperative society operated from Belgium, but owned by its members. As in all systems, it is as strong as its weakest link; and in this instance the weak links are the many thousands of smaller banks that do not have the same security resources as the big banks. Attackers seek to compromise the small banks and gain genuine SWIFT credentials. This allows them to instruct the bigger banks to transfer large amounts of money over the SWIFT network into their own accounts.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.