Security Experts:

Third SWIFT Attack Transfers $12 million to Hong Kong, Dubai and U.S.

The third known and second successful attack against banks using the SWIFT money transfer network impacted an Ecuadorian bank between January 12 and January 22, 2015. During this period at least 12 fraudulent transfer requests instructed San Francisco-based Wells Fargo to send $12 million belonging to Ecuador's Banco del Austro (BDA) to accounts in Hong Kong, Dubai and the US. Wells Fargo complied.

SWIFT did not learn of the attack until informed by Reuters in May 2016. Reuters discovered it through court documents relating to a law suit filed by BDA against Wells Fargo. While the Bangladesh authorities initially blamed SWIFT and the New York Federal Reserve Bank for its loss of $81 million, BDA seems to be blaming Wells Fargo alone. BDA believes, and is suing Wells Fargo, for its failure to detect and flag the fraud in process.

A Wells Fargo spokesman has said that the bank "properly processed the wire instructions received via authenticated SWIFT messages" and was not responsible for BDA's losses.

The theft itself mirrors the two other known attacks. Hackers infiltrated the target bank's networks and managed to send apparently legitimate instructions for the funds to be transferred. However, while there is some confusion over exactly when SWIFT learned about the failed attack against Hanoi-based Tien Phong Bank (TPBank), there is no confusion here. A SWIFT spokesperson told Reuters in May 2016, "We were not aware. We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community."

The likelihood is that SWIFT was also unaware of the TPBank attack until it became public knowledge. It demonstrates an enormous problem for SWIFT, and explains why the primary recommendation in SWIFT's five-point security plan is to 'drastically improve information sharing'. Banks are notoriously private; but it remains an open question over whether the Bangladesh theft would have been so successful had SWIFT been able to warn all its members about the BDA and TPBank attacks.

It is not currently known whether the same malware family was used against BDA as seems to have been used against Bangladesh and TPBank - so it is also difficult to conjecture whether it was the same attackers in all three cases. Symantec reported on 26 May, "no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia."

Accounts in Hong Kong received the majority of BDA's stolen money: $9.24 million to Hong Kong accounts, and $2.76 million to accounts in Dubai and the US. A separate law suit has been filed in Hong Kong against companies that received or handled the stolen money, alleging that they had been 'unjustly enriched'.

The money sent to Hong Kong initially went to four companies with accounts at HSBC and Hang Seng Bank. From there the money was routed into 19 second hop bank accounts - many of which do not appear to be associated with real businesses. Indeed, the initial four accounts were described by the Hong Kong Deputy High Court Judge Conrad Seagroatt as "otherwise inactive corporate vehicles controlled by citizens of the People's Republic of China."

"These companies are often set up for ill-gotten gains and as vehicles of corruption," Mike Kenealy, chief operating officer of risk and compliance consultancy Insiders Corp told Reuters . "Once the money starts moving, it gets laundered, converted and disappears without a trace."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.