In February, attackers tried to steal $951 million using the SWIFT bank transfer system by submitting transfer requests from the Central Bank of Bangladesh to the Federal Reserve Bank of New York. Before the cyber heist was detected, attackers got away with $81 million by routing and laundering the funds through a bank account in the Philippines. Most of the transfers were thwarted for an unexplained reason.
Reuters reported the details of the cyber heist based on an interview with defense contractor and security researcher BAE Systems. It wasn’t clear if BAE Systems worked independently, for SWIFT or for the Bangladesh Bank. The report exposes that the SWIFT software has the same design flaws as the Target point-of-sale (POS) system. Both imprudently relied on the assumption of an impenetrable perimeter for security. The fault appears to be SWIFT’s—if BAE is correct in its report that “the malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database.”
New or modified malware code that at the least had a different MD5 hash was allowed to register, load and execute without detection. The malware should not have been able to execute, and SWIFT’s security team should have been notified. This is what happened when attackers exploited retailer Target’s POS system, yielding 40 million credit card numbers and identities. Just like the Target exploit, once the attackers jumped perimeter defenses, bad security policy let them run whatever malware they chose.
Vulnerabilities enabled attackers to insert binary malware code into SWIFT’s client software, Alliance Access, which was exposed to attack by the Bangladesh Bank’s weak cyber defenses. The bank operated its network without a firewall and employed used switches and routers that cost about $10 each. After breaching the bank, criminals took control of SWIFT credentials and logged in, enabling them to install malware and make the illicit transfers. The malware ending with the extension .DLL would indicate that Alliance Access was written for Windows platforms. It will be interesting to learn if this included Windows XP platforms like the Target breach did.
SWIFT update and warning
Natasha de Teran, whom LinkedIn lists as head of corporate affairs at SWIFT, told Reuters that SWIFT was aware of malware targeting Alliance Access. She said SWIFT would release an update and warning today to the 11,000 banks and financial institutions around the world that use or might use the software. It sounds like the warning might be for those companies to double down on perimeter defenses and physical security while SWIFT rewrites Alliance Access to incorporate security policies.
SWIFT seems confident that its core messaging services that connect banks around the world have not been compromised because those have been unaffected by the update. The update improves the security of Alliance Access and will detect inconsistencies in local database records.
The attacker’s transfers were not detected by fraud prevention measures because their software called evtdiag.exe running inside the bank and deleted database records of the fraudulent transfers made at the Bangladesh Central Bank. The malware also filtered out incoming confirmations of the transfers, preventing database updates and the printing of transfer confirmations.
BAE released further details in its blog post today, which were the basis for the Reuter’s story.