At a financial conference in Frankfurt, Thursday, SWIFT’s chief executive Gottfried Leibbrandt told the audience that the $81 million theft from the Bangladesh central bank’s New York account “was from our perspective a customer fraud.” He added, “I don’t think it was the first, I don’t think it will be the last.”
On the same day the New York Times reported that it had seen a letter SWIFT plans to share with its users today “on a secure part of its website.” This letter warns of a second breach that has manipulated the SWIFT network.
The attack was apparently on an unnamed commercial bank in Vietman, and occurred at some point during the last few months.
SWIFT warns that the second breach has similarities to the the Bangladesh theft, and appears to be part of a broad attack against world banking. “The attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both,” warns the letter.
Researchers from BAE Systems in April said they found what was assumed to be the malware used in the Bangladesh Central Bank hack after malware samples were uploaded to repositories.
According to a report released today by BAE Systems, the malware used in the Bangladesh Central Bank theft could be be linked to other cyberattacks, including the massive attack against Sony Pictures in 2014. BAE detailed the toolkit used in a report on Op Blockbuster, which the company released this past February to unravel what is known about the Sony attack.
BAE has said that a commercial bank in Vietnam also appears to have been targeted in a similar fashion using customer malware based off a common code-base.
According to BAE, the developers exclusively use a Visual C++ 6.0 development environment.
In both attacks, it appears that the hackers understood the different transfer validation methods used by the banks. In the Bangladesh heist the attackers knew and tailored their malware to interfere with the printer that produced printouts used to check and validate transfers. In the second bank, PDF files were used for validation, and in this attack malware manipulated the PDF to “remove traces of the fraudulent instructions.”
This suggests that either the attackers were inside the banks’ networks for long enough to learn how the banks’ systems work, or they had inside information from a bank employee. If the former, then there has to be concern that other banks may already be similarly compromised. If the latter, then the proceeds of the Bangladesh theft could be re-invested to bribe and corrupt employees in other banks.
Both attacks were against the banks that use SWIFT, rather than SWIFT itself. Certainly in the Bangladesh attack, entry to the SWIFT system was via the central bank of a developing country, not via a bank in a major financial center. SWIFT’s problem is that it has thousands of such backdoors around the world.
Once the individual banks were compromised, they could ‘legitimately’ manipulate the SWIFT transfer system. “Your first priority should be to ensure that you have all the preventative and detective measures in place to secure your own environment,” Swift says in its message to be posted today. “This latest evidence adds further urgency to your work.”
While experts from BAE Systems believe the same attacker was behind the attacks in Bangladesh and Vietnam, they did not attribute the attack to any specific group or nation.
“As for who that person might be, who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone,” BAE’s Sergei Schenvchenko and Adrian Nish wrote in a blog post.
(Additional reporting by Mike Lennon)