In a private letter to its members on Tuesday, SWIFT has disclosed that additional cyber attacks have surfaced since its last update in June.
There are already known successful attacks against a Bangladeshi bank and an Ecuadorian bank, with a failed attack against a Vietnamese bank. Now, in a letter seen by Reuters, SWIFT is warning, “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.”
SWIFT has not indicated whether any ‘fraudulent payment instructions’ were successful, nor named the banks concerned. Nevertheless, the organization appears to be using the incidents to increase pressure on its member banks to implement new SWIFT software by a deadline of 19 November.
“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.” There is no current indication whether the attackers are the same gang that attacked Bangladesh, Ecuador and Vietnam, or copy-cat criminals attracted by the massive theft of $81 million from Bangladesh.
The latest version of SWIFT’s software includes new security features designed to prevent a repeat of the Bangladesh attack. These include technology for verifying the credentials of people accessing a bank’s SWIFT system; stronger rules for password management; and better tools for identifying attempts to hack the software.
SWIFT appears to be ‘threatening’ its members with disclosure of weaknesses and or future attacks if they do not comply. It cannot directly insist on compliance, since the organization is a cooperative owned by the members, and it does not have that remit.
While any increased security is important, some experts believe SWIFT’s actions are not enough. Most of the new controls appear to be perimeter-based. While it’s certainly true that the Bangladesh ‘perimeter’ was not well defended (“The bank lacked a firewall and used second-hand, $10 electronic switches to network those computers, according to the Bangladesh police” – Reuters), perimeter defenses are not very successful.
Once the attackers have gained a foothold beyond the perimeter, “the bad actors can often do whatever they want and cover up their tracks with ease,” comments Istvan Szabo, product manager and Balabit. “The better method is for participating organizations to monitor their privileged users, build user specific profiles and apply behavior analytics on top of that. Profiles can be obtained from mouse movements, keystroke habits, command usage regularity, users IP / port and protocol in a transparent way if using a proxy based monitoring technology. The habits of every individual user are unique indicators and impossible to copy.”
eSentire’s CTO Mark McArdle suggests that these new attacks should not be seen as limited to SWIFT, but representative of a much bigger issue: bad guys attack big organizations through smaller affiliates — and quotes the attack against target via its HVAC supplier as an example. The attraction of SWIFT is that it provides access to some of the world’s largest and best defended banks via much smaller and less defended banks, and is a route that criminals will continue to exploit.
The SWIFT letter, he said, “isn’t about the spotlight on big banks and their cybersecurity posture; this is a floodlight highlighting the larger, more critical risk, which is the far more prevalent, lucrative target — the smaller banks, hedge funds and alternative asset management firms which circle the globe.”