City Union Banks publically announced malicious actors had gained access to their systems and transferred approximately 1.3m in three transactions using the Society for Worldwide Interbank Financial Telecommunication’s (SWIFT) network. A reported 6 million was stolen by hackers using the SWIFT system. Despite enhanced security surrounding SWIFT, which launched a scanning service designed to spot fraudulent transactions in April 2017, fraudulent activity continues to make headlines.
Last week, a report by the Russian central bank made a brief mention of an attack against an unnamed Russian bank. The most likely source of this reference is the attack against Globex in December 2017, but this could also refer to a suspected attack against the MoneyTaker group, which performs similar service to SWIFT. As attacks against these networks, often dubbed cyberheists, have come back to the fore, a historical analysis of previous threat vectors demonstrates the sophistication of actors that are willing and capable of attacking such a high profile target.
It is important to note that SWIFT, the member-only organization that provides secure financial transactions information via a standardized proprietary communications platform, says its own systems have never been compromised by hackers. Although no further official commentary is made by SWIFT, and detailed accounts of individual cases are incredibly rare, there have been several known instances where the network has been used for fraudulent wire-transfer requests. In instances identified, it appears that hackers have compromised devices which are owned by the targeted bank and connected to the network.
In addition to the Russian and Indian examples depicted this week, $81m was taken from a Bangladesh bank, 43m from Taiwans Far Eastern International Bank and $3.1m from Nepals NIC Asia Bank in separate attacks during 2016 and 2017. The Bangladesh attack gained most notoriety due to both the speculation of Advanced Persistent Threat (APT) involvement, specifically North Korean actors, and the subsequent investigation that identified a typo as the reason attackers were restricted to gaining $81m, rather than $1bn.
Open Source reporting on the attacks details that sophisticated, often bespoke, malware appears to be the main threat vector used. It is, however, unclear how the malware infected the end device.
According to reports by researchers at McAfee and BAE Systems, the ransomware Hermes was used as a diversion in the Taiwanese attacks. The ransomware is thought to have originated from the Lazarus group, a threat actor known to be affiliated with North Korea, and linked to the Bangladesh attack. In a similar vein, Symantec identified the APT group, Carbanak, using the Odinaff Trojan to attack SWIFT in October 2016. If untainted, the leaking of tools from NSA-affiliated Equation Group by the Shadow Brokers raises suggestions that the group had also penetrated the SWIFT network via Middle East banks.
Open source trends show that over the last 4 years a SWIFT network attack is reported on average every 10 months. This is skewed by the difference in the time of attack to the time of reporting, which is incredible varied. The frequency and publicity surrounding the public disclosures of an attack, however, is increasing. This means that in the mid to long-term, SWIFT attacks are highly likely to dominate headlines and cybersecurity attention.