Billion Dollar Sting: a Financial Institution’s SWIFT Nightmare by Panda Security

Bracknell, United Kingdom, June 09, 2016 --( PandaLabs, the security division of Panda Security have been investigating the evolutionary approach of hackers to the financial sector.

For years cybercriminals have had their focus on money, and specifically the financial sector. For the last decade they have been mainly targeting the weakest link in the chain: the final user that uses online banking services.

This approach has some benefits for these cybercriminals: poor end user security, small money thefts that can go undetected for some time, large number of potential targets etc. However it also has some down-sides: the need for money mules, being able to find (infect) a victim that is using one of the targeted banks, avoiding antimalware software, etc. In other words, they can make a lot of money, but at the same time it requires a lot of effort from their side.

The big money is in the banks themselves, however it is hard to break into them. It requires significant investment to gather all the intelligence needed for this kind of heist, it is not easy to perform and it might require months, if not years, of careful planning. All worth it if the result could be one billion dollars stolen in a single hit.

In February of this year at the Bangladesh Central Bank, attackers infected their system with malware and tried to make fraudulent transfers totaling 951 million dollars, from their account held at the Federal Reserve Bank of New York. Luckily most of the transfers were blocked, and “only” 81 million dollars were stolen. However this was not the only instance.

In January 2015, a bank from Ecuador - Banco del Austro – was hit in a very similar way, and 9 million dollars were successfully stolen.

Malware was used to perform the attack, and all the money transfers were made using the SWIFT banking network, which provides the secure transfer of money amongst banks.

The biggest concern was that SWIFT network, previously believed to be secure, had been compromised, placing the entire financial system at risk. It looks like this was not the case as SWIFT has issued a press release which clearly states: “the SWIFT network, core messaging services and software have not been compromised.”

In their customer communication SWIFT tells all the banks that their “first priority should be to ensure that banks have all preventative and detective measures in place to secure their environment.” Is there anything at all that can be done to completely prevent any new heist?

Criminals will keep trying, and eventually they may succeed. They know what they are after (money) and what computers they want to target (those connecting to the SWIFT network). Access to the SWIFT network is highly restricted, it can only be performed from certain computers and only certain users are allowed access to them. Those computers have to be highly fortified, and not just having updated software and using an antimalware solution.

Only pre-approved software should be allowed to execute on those computers. All executed processes need to be monitored in real time, logging everything that happens and looking for abnormal behaviors. It does not matter if the attack comes from the Internet or with the help of an insider. No unauthorized software should be allowed to execute on those terminals, and the authorized software needs to be protected with anti-exploit technologies and monitored in real time should some abnormal behavior takes place.

One of the most frustrating things for the victims to go through is the lack of knowledge regarding the incident. How did it happen? When did it start? For how long? What actions occurred while the computers were compromised? Was there any confidential information leaked? As an example, in the Bangladesh Central Bank case three pieces of malware were recovered after the incident, but that’s all there was left. Attackers probably used many other tools and processes that were deleted and the victim won’t know anything about them. Knowledge is power, and knowing how a security incident happened will help fix security weaknesses in the environment.

Luis Corrons, Technical Director of PandaLabs advised "The conclusion after studying these attacks is that – Had those banks had Panda Security's Adaptive Defense install on their SWIFT connected terminals, the heists could have been stopped in time."

More info at:
Panda Security
Neil Martin