Anti-Malware , Data Breach , Fraud
SWIFT Deduction: Assume You've Been Hacked Ukrainian Bank Was Hacked in April, National Bank of Ukraine Confirms National Bank of Ukraine. (Photo: Andrew Butko, via Wikimedia Commons.)Memo to financial services firms around the world: Assume that attackers have been attempting to make fraudulent SWIFT requests via your network, and that they may have already breached your systems and begun doing so.
See Also: Detecting Insider Threats Through Machine Learning
That's the obvious cybersecurity takeaway from the rolling - if delayed - reports that keep coming to light in the wake of the theft of $81 million from the central bank of Bangladesh in February, of banks saying that they too have fallen victim to fraudulent SWIFT transactions.
The attacks have targeted the messaging system maintained by the Brussels-based, bank-owned cooperative SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - which is designed to guarantee that money-moving messages between banks are authentic. But attackers have long targeted the system to try and steal money from banks.
The latest such report surfaced last week, pertaining to an unnamed bank in Ukraine that lost $10 million to hackers who successfully executed fraudulent SWIFT transactions, the Kiev Post reported.
Subsequently, Reuters said that an April memo it had obtained from the central bank of Ukraine warned the country's banks to be on the lookout after the Bangladesh Bank hack, and recommended that banks implement all of SWIFT's security guidance, ensure that all anti-virus technology was fully updated as well as vet the security of all bank systems that connect to the SWIFT network.
"We are also informing you that a similar incident took place in one of the Ukrainian banks," read the notice, which was signed by a deputy governor at the central bank, known as the National Bank of Ukraine, Reuters reports.
Reached for comment, the press service of the National Bank of Ukraine declined to share a copy of the memo, which it says was issued on April 28 and "based on SWIFT's letter about [the] latest cyber incidents," citing bank secrecy concerns. But it confirmed that in April, a Ukrainian bank reported a "cyber-attack" to the central bank, and that "thereafter NBU appealed to the banks asking them to follow SWIFT rules and regulations strictly and keeping anti-virus software up to date."
The press office also suggested that the bank would have reported the attack to SWIFT. "Relationships between the banks and SWIFT are regulated directly by bilateral agreements, which include conditions of reporting about incidents," the press office says.
Reached for comment, SWIFT noted that the Ukrainian bank wasn't compromised by hacking into SWIFT's network. "As we have said before, our network and core messaging services have not been compromised," the spokeswoman tells me.
Beyond that, however, SWIFT declined to discuss the case. "As we have said before, we will not comment on individual entities," she says. "When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment, and we share relevant information on an anonymized basis with the community. This preserves confidentiality, whilst assisting other SWIFT users to take appropriate measures to protect themselves."
Six SWIFT Heists, and Counting
The Ukraine bank hacking and fraudulent SWIFT transaction fraud revelations follow reports from at least five other banks that have experienced similar attacks. In the wake of the attacks, SWIFT has promised to provide better security guidance to banks, and also urged targeted organizations to come forward and share attack details, for the benefit of other banks (see SWIFT to Banks: Get Your Security Act Together).
Here's the list of institutions that have logged fraudulent SWIFT attacks over the past few years:
Sonali Bank: Bangladesh bank lost $250,000 to attackers in 2013. Banco del Austro: Court documents filed this year revealed that $12.2 million was stolen from this Ecuadorian bank in January 2015. Bank in the Philippines: As yet unnamed, this bank was attacked in October 2015, security firm Symantec says. TPBank: This Vietnamese bank blocked the attempted theft of $1.4 million in December 2015. Bangladesh Bank: The central bank of Bangladesh lost $81 million to attackers, who attempted to steal nearly $1 billion in their February heist. Bank in Ukraine: $10 million was reportedly stolen from an unnamed bank.Separate or Connected Campaigns?
What's not clear, however, is how many of the above attacks might be related. Systems at Bangladesh Bank, for example, were infected with a Trojanized version of the Foxit PDF reader, which allowed attackers to suppress evidence of their fraudulent transactions.
Based on a technical analysis of the malware, security researchers say that it reuses parts of the malware and attack infrastructure that was employed in the 2014 hack attack against Sony Pictures Entertainment, which the U.S. government blamed on North Korea. As a result, security experts say, it appears that at least some of the recent bank hacks and fraudulent SWIFT transactions were carried out by individuals working for - or on behalf of - the North Korean government in Pyongyang (see F-Secure's Mikko Hypponen Details 5 Top Cybercrime Trends).
Regardless of which individuals or groups have been behind these SWIFT attacks, they've been a wake-up call for financial services firms, especially as they move toward more real-time payment and transfer systems (see Improving Fraud Prevention After SWIFT-Related Heists).
In the wake of the Bangladesh Bank hack, the Bank of England - the U.K.'s central bank - and U.S. officials, amongst others, began querying banks and SWIFT about their preparedness against related attack attempts (see Fraudulent SWIFT Transfers: Congress Queries New York Fed). But the takeaway for all SWIFT-using banks in any country by now should be crystal clear: Analyze all SWIFT-connected systems to ensure that they haven't been hacked, and keep a close eye on those systems going forward, since they're being actively targeted by hackers.