Symantec spots malware targeting SWIFT organisations

News by Max Metzger

Symantec claims to have spotted a new campaign that has attempted to exploit SWIFT customers in a very familiar way.

Another group appears to be targeting SWIFT customers, according to Symantec. The cyber-security giant announced today that it had detected a piece of malware entitled Odinaff on the systems of up to 20 organisations.

That same malware was capable of deleting customer logs for SWIFT, an electronic messaging system used by banks all over the world. Odinaff is apparently used to gain a foothold into networks, from which point attackers can launch further attacks and install more malicious tools. Symantec noted that the campaign has been around since the beginning of this year.

The targets are often banks and financial institutions, which accounted for a third of  the malware's targets. A small percentage were in securities, legal sector, healthcare and government. However, most of those targeted worked in unidentified sectors but used financial software applications.

Targets were primarily situated within the US as well as Hong Kong, the UK, Australia and Ukraine.

While the malware was capable of manipulating SWIFT customer logs, it is not known whether these Symantec customers are also customers of SWIFT.

However, Symantec said it had had found evidence that Odinaff had targeted SWIFT members.  Symantec explained “The tools used are designed to monitor customers' local message logs for keywords relating to certain transactions. They will then move these logs out of customers' local SWIFT software environment.”

Symantec added, “We have no indication that SWIFT network was itself compromised.” SWIFT apparently warned customers about Odinaff this summer.

This exploitation of SWIFT customers bears a resemblance to the kind of scam pulled off earlier this year on the Bangladesh Central Bank. The robbers breached the bank, installed malware locally and proceeded to make a number of cash requests through SWIFT, deleting the logs of those transactions, much like Odinaff.

Losses totalled US$81 million (£57 million) and the same scam was pulled off by what is believed to be the same people several more times at banks around the world.

SWIFT, a banking cooperative which handles millions of international money transfers every day, was not breached, but someone has found a way to exploit its customers. With the disclosure of Odinaff malware, it appears that more than one group has found a way to do it.

Although the campaign that began with Bangladesh seemed unique to one group at the time, that no longer seems to be the case. Analysis of the malware used in Bangladesh led Symantec researchers to believe that the Lazarus group was behind the heist.

Lazarus, first came to fame in 2014 when it breached Sony Pictures, seemingly in response to the release of a film mocking North Korea's leader Kim Jong Un. It is perhaps for this reason that some believe Lazarus, and those who stole money from SWIFT customers, to be North Korean in origin.

However, despite the speculation, Symantec researcher Eric Chien was keen to point out that this has not been confirmed.  

The disclosing blogpost, published today by Symantec notes: “There are no apparent links between Odinaff's attacks and the attacks on banks' SWIFT environments attributed to Lazarus, and the SWIFT-related malware used by the Odinaff group bears no resemblance to Trojan.Banswift, the malware used in the Lazarus-linked attacks.”

Odinaff appears to originate from another group entirely and does not seem motivated by the aims of a nation state, but a money-hungry cybercriminal group. Symantec believes the Odinaff malware to be linked to the Carbanak group, a possible APT group which made off with millions of dollars from Russian banks. However, Symantec added the two groups not only used similar tactics but have previously used the same IP addresses to connect to their servers.

Kevin Bocek, chief cyber-security strategist at Venafi, told “The SWIFT system was state-of-the-art when it was created two decades ago, but in cyber-security and fraud prevention, 20 years might as well be a millennium. A complete rethink of outdated payments architectures, including SWIFT, is long overdue.”

A critical step for SWIFT, added Bocek, “is to make sure they are able to determine who and what can and cannot be trusted. Only by understanding how this system of digital trust that depends on keys and certificates was breached can we hope to secure the global banking system of the future.”

After the success of the first SWIFT hack, he concluded, “It's unsurprising to see the headlines doing the rounds again and I'd be shocked if this is the last we see of it.”  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews