Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

SWIFT Discloses Additional Bank Attacks

In a private letter to its members on Tuesday, SWIFT has disclosed that additional cyber attacks have surfaced since its last update in June.

In a private letter to its members on Tuesday, SWIFT has disclosed that additional cyber attacks have surfaced since its last update in June.

There are already known successful attacks against a Bangladeshi bank and an Ecuadorian bank, with a failed attack against a Vietnamese bank. Now, in a letter seen by Reuters, SWIFT is warning, “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.”

SWIFT has not indicated whether any ‘fraudulent payment instructions’ were successful, nor named the banks concerned. Nevertheless, the organization appears to be using the incidents to increase pressure on its member banks to implement new SWIFT software by a deadline of 19 November.

“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.” There is no current indication whether the attackers are the same gang that attacked Bangladesh, Ecuador and Vietnam, or copy-cat criminals attracted by the massive theft of $81 million from Bangladesh.

The latest version of SWIFT’s software includes new security features designed to prevent a repeat of the Bangladesh attack. These include technology for verifying the credentials of people accessing a bank’s SWIFT system; stronger rules for password management; and better tools for identifying attempts to hack the software.

SWIFT appears to be ‘threatening’ its members with disclosure of weaknesses and or future attacks if they do not comply. It cannot directly insist on compliance, since the organization is a cooperative owned by the members, and it does not have that remit.

While any increased security is important, some experts believe SWIFT’s actions are not enough. Most of the new controls appear to be perimeter-based. While it’s certainly true that the Bangladesh ‘perimeter’ was not well defended (“The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police” – Reuters), perimeter defenses are not very successful.

Once the attackers have gained a foothold beyond the perimeter, “the bad actors can often do whatever they want and cover up their tracks with ease,” comments Istvan Szabo, product manager and Balabit. “The better method is for participating organizations to monitor their privileged users, build user specific profiles and apply behavior analytics on top of that. Profiles can be obtained from mouse movements, keystroke habits, command usage regularity, users IP / port and protocol in a transparent way if using a proxy based monitoring technology. The habits of every individual user are unique indicators and impossible to copy.”

eSentire’s CTO Mark McArdle suggests that these new attacks should not be seen as limited to SWIFT, but representative of a much bigger issue: bad guys attack big organizations through smaller affiliates — and quotes the attack against target via its HVAC supplier as an example. The attraction of SWIFT is that it provides access to some of the world’s largest and best defended banks via much smaller and less defended banks, and is a route that criminals will continue to exploit. 

The SWIFT letter, he said, “isn’t about the spotlight on big banks and their cybersecurity posture; this is a floodlight highlighting the larger, more critical risk, which is the far more prevalent, lucrative target — the smaller banks, hedge funds and alternative asset management firms which circle the globe.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.


Albanian prosecutors on Wednesday asked for the house arrest of five public employees they blame for not protecting the country from a cyberattack by...


Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...