SWIFT to update cyber-security policies as third heist pulled on user

The SWIFT bank messaging cooperative has announced an update to its cyber-security policies as yet another bank has been hit.

In 2016, there have been three heists on SWIFT connected banks...that we know of
In 2016, there have been three heists on SWIFT connected banks...that we know of

SWIFT is to review its security policies. In a message sent to customers on Friday, the global messaging service told customers that in light of “recently shared information regarding a number of fraudulent payment cases where affected customers suffered a breach in their local payment infrastructure”, SWIFT will be taking security to the next level.

The announcement noted, “we are currently working to further reinforce our support to customers in securing their access to the SWIFT network”.

As part of the update, SWIFT will now centralise all “existing security information” through KB tip 5020928.  All new information on cyber-incidents will be posted through that tip.

The announcement also calls for increased sharing of cyber-incidents with SWIFT, as laid out in the terms and conditions.

SWIFT is sometimes called the backbone of the financial system. The cooperative of 3000 members operates a messaging system which oversees millions of global cash transfers every day and many financial institutions rely on the system to do business. Which is perhaps why recent attacks through the system have been so lucrative.

Though there have been a rash of large heists of late, carried out through the SWIFT system, SWIFT maintains that the messaging service itself has not been breached.

The security review announcement comes shortly after a large heist, the third this year conducted through the SWIFT system. This time, attackers made off with £8 million ($12 million) from the Banco Del Austro (BDA), an Ecuadorian bank, and put it into accounts in Hong Kong, New York, Los Angeles and Dubai.

Much like the previous two heists, attackers defeated the bank's local security systems and managed to get their hands on SWIFT credentials.

With those they got on to the SWIFT messaging system, which handles millions of global money transfers every day, and made numerous requests for cash transfers from the banks account and into their pockets.

The heist was revealed in a lawsuit BDA is currently pursuing against Wells Fargo, the bank which approved the transactions on the other end of the transfer.

Though SWIFT have not mentioned a connection between the recent Ecuadorian heist and the company's new announcement, the timing is certainly convenient.

One of the problems outlined in BDA's lawsuit is a failure to share information on such heists with SWIFT. SWIFT only learnt about the theft this month, despite the fact that the heist was carried out in January of this year.

It's the same problem that SWIFT outlines in its most recent announcement: “The security of our global financial community can only be ensured through a collaborative approach among SWIFT, its users, its central bank overseers and third party suppliers.”

To that end, “we specifically remind all users to respect their obligations to immediately inform SWIFT of any suspected fraudulent use of their institution's SWIFT connectivity or related to SWIFT products and services. In such cases SWIFT may require certain diagnostic information from you as set out in our terms and conditions.”

2016 has not been a great year for SWIFT. The Ecuadorian bank hack is only the latest in what is set to be a long line of high-value cyber-heists, conducted through the SWIFT system.

SWIFT sent a letter to its customers earlier this month, describing its discovery of a kind of malware strikingly similar to the piece that allowed cyber-criminals to make off with £56 million out of Bangladesh Central Bank's (BCB) New York Federal Reserve bank account in February this year. While some of that money has been recovered, the large majority has not.

Although SWIFT would not identify the new victim, the company referred to the bank in question merely as “a commercial bank”. BAE Systems, in the research, refers to that bank as Vietnamese.

The Tien Phong Bank, a Hanoi-based bank, claimed soon after that it had headed off just such an attack made through SWIFT. It is widely believed to be the same bank that SWIFT declined to name in its statement.

SWIFT told customers in a statement: “Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.”

There has been little word on who might be behind that wider campaign, but attempts have been made. That campaign, according to BAE researchers Sergei Shevchenko and Adrian Nish, might even reach back as far as the 2014 Sony Hacks. 

The two researchers found a similar function in the samples of malware taken from both BCB and the unnamed Asian bank, that allows the malware to delete itself and any records of its existence. Furthermore, BAE identified connections between those two cases and the 2014 hacks on Sony.

Largely believed to be the work of a North Korea APT group, the Sony hacks exposed thousands of internal documents and sensitive details of the company's inner workings.

Claiming responsibility for the public shaming of the media giant was a group calling itself the Guardians of Peace, saying that the hack was an act of revenge against the studio for The Interview, a comedy about the North Korean leader, Kim Jong Un.

Symantec's research points to a similar place. Dick O'Brien, senior information developer at Symantec, told SCMagazineUK.com that the wiper function within the malware “shares strong similarities with tools previously identified in malware associated with Lazarus”. The Lazarus group is also suspected of having connections to the 2014 hacks on Sony. Among other things, the group is known to have started its now-illustrious career with a series of attacks against South Korea and the United States.

The group is associated with a whole range of malware, but O'Brien said, “The wiper component is quite unique which may indicate that is developed ‘in-house' and not generally available on the underground.”

Fingers also pointed back towards SWIFT which Bangladeshi officials recently said was partly responsible for February's massive heist.

The bank and Bangladeshi police have laid a good portion of the blame for the £56 million heist at the feet of the financial messaging company. In early May, they said that SWIFT had exposed the bank to attack when technicians connected the bank to SWIFT messaging, several months prior to the heist.

Adding to that was the former governor of the bank, Mohammed Farashuddin who recently told reporters, "SWIFT is responsible for the heist of Bangladesh Bank (BCB) as it approached the central bank for the installation of RTGS real time gross settlement”.

Farashuddin was quoted by Bangladeshi newspaper, the Daily Star, saying that SWIFT had failed to implement over a dozen measures that would have helped prevent the theft.

SWIFT was quick to deny the BCB allegations. In a statement released last week, SWIFT called the charges “false, inaccurate and misleading”.

The company further stated that it “was not responsible for any of the issues cited by the officials, or party to the related decisions. As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment – starting with basic password protection practices – in much the same way as they are responsible for their other internal security considerations.”

On the back of this third heist, SWIFT has levelled charges right back at the banks, saying that the SWIFT system was not breached and that those affected by this campaign should have not only ensured their own security better, but told SWIFT earlier.

SWIFT released a statement to SC saying that, “SWIFT was not aware. As we stated last week, we need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us."