Cyber Monday Deal: Up to 60% off InvestingProCLAIM SALE

Bangladesh Bank hackers compromised SWIFT software, warning issued

Published 04/25/2016, 11:06 AM
© Reuters. Swift code bank logo is displayed on an iPhone 6s on top of Euro banknotes in this picture illustration made in Zenica
BAES
-

By Jim Finkle

(Reuters) - The attackers who stole $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system, said security researchers at British defense contractor BAE Systems.

SWIFT, a cooperative owned by 3,000 financial institutions, confirmed to Reuters that it was aware of malware targeting its client software. Its spokeswoman Natasha Deteran said SWIFT on Monday released a software update to thwart the malware, along with a special warning for financial institutions to scrutinize their security procedures.

The developments coming to light the unprecedented cyber-heist suggest that a lynchpin of the global financial system could be more vulnerable than previously understood because of weaknesses that enabled attackers to modify a SWIFT software program installed on bank servers.

The new evidence suggests that hackers manipulated the Alliance Access server software, which banks use to interface with SWIFT's messaging platform, in a bid to cover up fraudulent transfers that had been previously ordered.

The findings from BAE and SWIFT do not explain how the fraudulent orders were created and pushed through the system. That remains a key mystery in ongoing probes into the heist.

Deteran told Reuters on Sunday that SWIFT was issuing the software update “to assist customers in enhancing their security and to spot inconsistencies in their local database records." She said "the malware has no impact on SWIFT’s network or core messaging services."

The software update and warning from Brussels-based SWIFT,or the Society for Worldwide Interbank Financial Telecommunication, come after researchers at BAE (L:BAES), which has a large cyber-security business, told Reuters they believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.

BAE published its findings on Monday in a blog post on malware that it said thieves used to cover their tracks and delay discovery of the heist.

The cyber criminals tried to make fraudulent transfers totaling $951 million from the Bangladesh central bank's account at the Federal Reserve Bank of New York in February.

Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

Investigators probing the heist had previously said the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. But the BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers.

The SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software, Deteran said.

SWIFT may release additional updates as it learns more about the attack in Bangladesh and other potential threats, Deteran said. It is also reiterating a warning to banks that they should review internal security.

“Whilst we keep all our interface products under continual review and recommend that other vendors do the same, the key defense against such attack scenarios is that users implement appropriate security measures in their local environments to safeguard their systems,” Deteran said. Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.

"I can't think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in," he said. "I guess it was the realization that the potential payoff made that effort worthwhile."

A Bangladesh Bank spokesman declined comment on BAE's findings.

A senior official with the Bangladesh Police’s Criminal Investigation Department said that investigators had not found the specific malware described by BAE, but that forensics experts had not finished their probe.

Bangladesh police investigators said last week that the bank's computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.

Still, police investigators told Reuters in an interview that both the bank and SWIFT should take the blame for the problems.

"It was their responsibility to point it out but we haven't found any evidence that they advised before the heist," said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, referring to SWIFT. [L2N16S0OR]

THWARTING FUTURE ATTACKS

Monday's alert from BAE includes some technical indicators that the firm said it hopes banks could use to thwart similar attacks. Those indicators include the IP address of a server in Egypt the attackers used to monitor use of the SWIFT system by Bangladesh Bank staff.

The malware, named evtdiag.exe, was designed to hide the hacker's tracks by changing information on a SWIFT database at Bangladesh Bank that tracks information about transfer requests, according to BAE.

BAE said that evtdiag.exe was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. It is still not clear exactly how the hackers ordered the money transfers.

Nish said that BAE found evtdiag.exe on a malware repository and had not directly analyzed the infected servers. Such repositories collect millions of new samples a day from researchers, businesses, government agencies and members of the public who upload files to see if they are recognized as malicious and help thwart future attacks.

Nish said he was highly confident the malware was used in the attack because it was compiled close to the date of the heist, contained detailed information about the bank's operations and was uploaded from Bangladesh.

While that malware was specifically written to attack Bangladesh Bank, "the general tools, techniques and procedures used in the attack may allow the gang to strike again, "according to a draft of the warning that BAE shared with Reuters.

The malware was designed to make a slight change to code of the Access Alliance software installed at Bangladesh Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network, Nish said.

Once it had established a foothold, the malware could delete records of outgoing transfer requests altogether from the database and also intercept incoming messages confirming transfers ordered by the hackers, Nish said.

© Reuters. Swift code bank logo is displayed on an iPhone 6s on top of Euro banknotes in this picture illustration made in Zenica

It was able to then manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered. It also manipulated a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts, he said.

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.