An attack on The Bank of Bangladesh, according to BAE Systems, was carried out using malware that targeted SWIFT's Access Alliance software and changed code to alter a database recording the bank's activity. However, the findings did not reveal how the fraudulent orders were created or processed.
Bangladesh Central Bank officials are pinning the blame for the cyber-attack, which netted £56million from the financial institution, on the IT department at SWIFT for incorrectly installing new software.
The Bangladesh bankers said vulnerabilities were introduced into the SWIFT messaging system when that organisation installed the real-time gross settlement system (RTGS) software several months prior to the hack, according to a Reuters report. The story quoted Mohammad Shah Alam, who is heading the investigation for the Bangladeshi police, as saying the RTGS had loopholes that were exploited when it was connected to the SWIFT system.
The criminals tried to steal nearly a billion dollars from the bank. Most of these attempts were blocked, but £56 million managed to get routed to accounts in the Philippines and diverted to casinos in the country. This money still remains missing.
The hack allowed criminals to delete outgoing transfer requests and intercept incoming ones. It also changed account balances to hide any wrongdoing from bank officials. BAE Systems said malware called ‘evtdiag' was built specifically for the Bangladesh Bank's infrastructure and its copy of the SWIFT Alliance Access software.
SWIFT issued a mandatory security update for its software that helped customers “identify situations in which attackers have attempted to hide their traces,” according to bankinfosecurity.com. It would not release any details concerning attacks or what companies were involved, but it did note that the attacks were all similar and that the attackers were able to compromise the targeted banks' computer networks and obtain valid credentials to create and send messages, bankinfosecurity.com reported.
The investigation into SWIFT hacking then takes a byzantine turn, as reports surfaced of multiple hacking groups infiltrating the bank's network.
A Bloomberg article citing two anonymous sources with knowledge of the cyber-theft case, stated that FireEye, the security company spearheading the investigation, found the digital fingerprints of three distinct hacking groups inside the bank's infiltrated IT network.
“With the bank's surprisingly lax security, I'm not really surprised investigators found multiple hackers within their network,” WatchGuard Technologies CTO Corey Nachreiner told SCMagazine.com. “Reports suggest the bank didn't even use a basic firewall. They are lucky there were only three hacking groups in their network.”
Two of the identified groups are reportedly based in Pakistan and North Korea, respectively, while the third could be another nation-state or a cyber-criminal outfit.
The Bangladeshi bank robbers then struck again, with the company discovering malware similar to that used on the Bangladesh central bank, used on another commercial bank.
According to CNBC, Vietnam's Tien Phong Bank stated it had identified and stopped a suspicious request made through SWIFT to transfer £763,000. The transfer request came through an unnamed third-party vendor used to connect to the SWIFT system. Tien Phong said it is has switched to another vendor.
Aaron Shelmire, senior threat researcher at Anomali, identified evidence of links to North Korea's malicious hackers Lazarus Group. According to CNN, the Lazarus Group has already broken into Bangladesh's central bank and stolen £70 million. The group is also thought to have perpetrated attacks on banks located in Ecuador, the Philippines and Vietnam.
SWIFT has outlined plans to bolster security, stressing that its own network, software and core messaging services have not been compromised. In a statement it said: “This customer security programme will clearly define an operational and security baseline that customers must meet to protect the processing and handling of their SWIFT transactions.”
SWIFT says it will strengthen security requirements for customer-managed software to better protect local environments. It will enhance security and operational baselines, and develop related audit standards and certification processes for the secure management of SWIFT messages at customer sites. And it will enhance support by third party providers and foster a secure ecosystem through partner programmes, organisation of industry events, certification programmes and other measures.
SWIFT's CEO, Gottfried Leibbrandt, told the FT it may exclude from its network banks that have demonstrated weak information security.
–By Roi Perez, SC Magazine UK
increase in ransomware Q1 2016
- Infobox DNS Threat
of UK councils suffered a ransomware attack in 2015
per incident cost of data breaches
- IBM Security/Ponemon
of websites have increased anti-bot security