At last, SWIFT found their weakness.
Reuters said:
The
attackers who stole $81 million from the Bangladesh central bank
probably hacked into software from the SWIFT financial platform that is
at the heart of the global financial system, said security researchers
at British defense contractor BAE Systems.
SWIFT,
a cooperative owned by 3,000 financial institutions, confirmed to
Reuters that it was aware of malware targeting its client software. Its
spokeswoman Natasha Deteran said SWIFT would release on Monday a
software update to thwart the malware, along with a special warning for
financial institutions to scrutinize their security procedures.
The
new developments now coming to light in the unprecedented cyber-heist
suggest that an essential lynchpin of the global financial system could
be more vulnerable than previously understood to hacking attacks, due to
the vulnerabilities that enabled attackers to modify SWIFT’s client
software.
Deteran told
Reuters on Sunday that it was issuing the software update “to assist
customers in enhancing their security and to spot inconsistencies in
their local database records."
The
software update and warning from Brussels-based SWIFT, or the Society
for Worldwide Interbank Financial Telecommunication, come after
researchers at BAE (
BAES.L),
which has a large cyber-security business, told Reuters they believe
they discovered malware that the Bangladesh Bank attackers used to
manipulate SWIFT client software known as Alliance Access.
BAE
said it plans to go public on Monday with a blog post about its
findings concerning the malware, which the thieves used to cover their
tracks and delay discovery of the heist.
The
cyber criminals tried to make fraudulent transfers totaling $951
million from the Bangladesh central bank's account at the Federal
Reserve Bank of New York in February.
Most
of the payments were blocked, but $81 million was routed to accounts in
the Philippines and diverted to casinos there. Most of those funds
remain missing.
Investigators
probing the heist had previously said the still-unidentified hackers had
broken into Bangladesh Bank computers and taken control of credentials
that were used to log into the SWIFT system. But the BAE research shows
that the SWIFT software on the bank computers was probably compromised
in order to erase records of illicit transfers.
Deteran reiterated on Sunday that "the malware has no impact on SWIFT’s network or core messaging services."
The
SWIFT messaging platform is used by 11,000 banks and other institutions
around the world, though only some use the Alliance Access software,
Deteran said.
SWIFT may
release additional updates as it learns more about the attack in
Bangladesh and other potential threats, Deteran said.
SWIFT is also reiterating a warning to banks that they should review internal security.
“Whilst
we keep all our interface products under continual review and recommend
that other vendors do the same, the key defense against such attack
scenarios is that users implement appropriate security measures in their
local environments to safeguard their systems,” Deteran said.
Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.
"I
can't think of a case where we have seen a criminal go to the level of
effort to customize it for the environment they were operating in," he
said. "I guess it was the realization that the potential payoff made
that effort worthwhile."
A Bangladesh Bank spokesman declined comment on BAE's findings.
A
senior official with the Bangladesh Police’s Criminal Investigation
Department said that investigators had not found the specific malware
described by BAE, but that forensics experts had not finished their
probe.
Bangladesh police
investigators said last week that the bank's computer security measures
were seriously deficient, lacking even basic precautions like firewalls
and relying on used, $10 switches in its local networks.
Still,
police investigators told Reuters in an interview that both the bank
and SWIFT should take the blame for the problems.
"It
was their responsibility to point it out but we haven't found any
evidence that they advised before the heist," said Mohammad Shah Alamo,
head of the Forensic Training Institute of the Bangladesh police's
criminal investigation department, referring to SWIFT.
THWARTING FUTURE ATTACKS
The
BAE alert to be published on Monday includes some technical indicators
that the firm said it hopes banks could use to thwart similar attacks.
Those indicators include the IPaddress of a server in Egypt the
attackers used to monitor use of the SWIFT system by Bangladesh Bank
staff.
The malware, named
evtdiag.exe, was designed to hide the hacker's tracks by changing
information on a SWIFT database at Bangladesh Bank that tracks
information about transfer requests, according to BAE.
BAE
said that evtdiag.exe was likely part of a broader attack toolkit that
was installed after the attackers obtained administrator credentials.
It is still not clear exactly how the hackers ordered the money transfers.
Nish
said that BAE found evtdiag.exe on a malware repository and had not
directly analyzed the infected servers. Such repositories collect
millions of new samples a day from researchers, businesses, government
agencies and members of the public who upload files to see if they are
recognized as malicious and help thwart future attacks.
Nish
said he was highly confident the malware was used in the attack because
it was compiled close to the date of the heist, contained detailed
information about the bank's operations and was uploaded from
Bangladesh.
While that malware
was specifically written to attack Bangladesh Bank, "the general tools,
techniques and procedures used in the attack may allow the gang to
strike again," according to a draft of the warning that BAE shared with
Reuters.
The malware was
designed to make a slight change to code of the Access Alliance software
installed at Bangladesh Bank, giving attackers the ability to modify a
database that logged the bank's activity over the SWIFT network, Nish
said.
Once it had established a
foothold, the malware could delete records of outgoing transfer
requests altogether from the database and also intercept incoming
messages confirming transfers ordered by the hackers, Nish said.
It
was able to then manipulate account balances on logs to prevent the
heist from being discovered until after the funds had been laundered.
It also manipulated a printer
that produced hard copies of transfer requests so that the bank would
not identify the attack through those printouts, he said.
(Reporting by Jim Finkle in Boston. Additional reporting by Serajul
Quadir in Dhaka.; Editing by Jonathan Weber and Martin Howell)
