SWIFT robbers swoop on Ukrainian bank

Yet another bank has been hit via the SWIFT messaging system, this time in Ukraine. This may only be the fifth publically disclosed SWIFT heist, but commentators suggest that there plenty of silent victims

Ukraine bank joins those hit by robbers who used their SWIFT account
Ukraine bank joins those hit by robbers who used their SWIFT account

A Ukrainian bank has been hit through fraudulent use of their SWIFT account. The as-yet unnamed bank has suffered the fate of so many in the past few months and lost US$ 10 million (£7,459,708) through fraudulent requests made through the bank's SWIFT account.

The Ukrainian branch of ISACA was called in to investigate the anonymous bank's misfortune.

According to ISACA, as with previous heists of this nature, attackers will usually use publicly available information to find out as much as possible about the bank before breaching it and spending months collecting information on its internal workings. Leveraging that knowledge, the hackers will make their money orders through the banks' SWIFT account, sending millions to far off accounts where it quickly disappears into the ether.

The first major heist of this kind fell upon the Bangladesh Central Bank which lost £56 million.

It wasn't too long before the same heist was attempted on banks in Vietnam, Ecuador and Eastern Europe. Only five such heists have been publicly disclosed but it is believed  that while many more banks have been hit, few have come forward to disclose them.

The Kyiv Post reports Ukrainian ISACA officials as saying that: “At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which hundreds of millions of dollars have been stolen hundreds of millions of dollars".

Aleksey Yankovsky, head of ISACA in Kyiv, further commented to the Post that “Banks now are not sharing such information at all and are afraid of publicity.”

Andrew Patel, senior manager of technological outreach at F-secure told SCMagazineUK.com that different countries have different breach reporting rules, "so it is possible that the full scope of this campaign is not yet known, or at least being reported."

Central to this saga has been the level of culpability SWIFT has in these heists. Some, like officials from the Bangladeshi Central Bank and police, have accused the cooperative of culpability in this matter, even though the SWIFT system was not breached.

SWIFT have repeatedly said that the security of individual members is primarily their own concern. In light of these thefts, Gottfried Leibbrandt, the chief executive of SWIFT, even floated the idea of expulsion for members whose security policies were not up to scratch.

The robbers have repeatedly, overcome individual banks' local security measures to use SWIFT, not the other way around.  Furthermore, attackers found ways of hiding the records of their stolen loot by deleting the transaction logs.

From that initial compromise, the robbers then gained access to the banks' SWIFT accounts with stolen credentials and started sending money orders from the targeted bank to the robbers' own accounts.

Patel further added that, "the actors behind these attacks invested a substantial amount of time and effort into learning the system and how to attack it. I wouldn't be surprised if they acquired and set up their own SWIFT test environment in order to study the system and test their attacks. Given the effort it would take to learn this proprietary system, it's possible they have multiple different attacks up their sleeves. They're simply getting the most out of the investment they made."

While there is little to say conclusively about the identities of the attackers, the malware used to initially breach the SWIFT affiliates' local servers links the sprawling attacks. Various analyses of the heists claim that the malware used shares great similarities with that used by the Lazarus group, a purportedly North Korean APT group with its fingerprints all over the Sony Hacks of 2014.