SWIFT could be more vulnerable than previously understood to hacking attacks

Bangladesh Bank hackers steal $81m with SWIFT malware

The software behind the SWIFT network, which provides the backbone for global financial transactions, was most likely hacked by cyber-attackers who stole $81m (£56m) from the Bangladesh Central Bank.

SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative owned by 3,000 financial institutions around the world.

It confirmed that malware had been developed that targets its client software and a software update is due to be released today that will fix the vulnerability, along with a special warning for financial institutions to scrutinise their security procedures.

In February, a group of cyber criminals attempted to make fraudulent transfers totalling $951m from the Bangladesh central bank's account at the Federal Reserve Bank of New York.

Most of the payments were blocked, but $81m was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.

An investigation by BAE Systems into the cyber-heist suggests that the SWIFT network - an essential lynchpin of the global financial system - could be more vulnerable than previously understood to hacking attacks, due to the vulnerabilities that enabled attackers to modify SWIFT's client software.

Investigators probing the heist had previously said the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system.

However, the BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers.

SWIFT spokesperson Natasha Deteran said the malware had no impact on SWIFT's network or core messaging services.

The messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software.

SWIFT may release additional updates as it learns more about the attack in Bangladesh and other potential threats, Deteran said.

"Whilst we keep all our interface products under continual review and recommend that other vendors do the same, the key defence against such attack scenarios is that users implement appropriate security measures in their local environments to safeguard their systems," she said.

Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.

"I can't think of a case where we have seen a criminal go to the level of effort to customise it for the environment they were operating in," he said. "I guess it was the realisation that the potential payoff made that effort worthwhile."

A Bangladesh Bank spokesman declined to comment on BAE's findings.

A senior official with the Bangladesh Police's Criminal Investigation Department said that investigators had not found the specific malware described by BAE, but that forensics experts had not finished their probe.

Bangladesh police investigators said last week that the bank's computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used $10 network switches in its local networks. They claimed that both the bank and SWIFT should take the blame for the problems.

"It was their responsibility to point it out, but we haven't found any evidence that they advised before the heist," said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department, referring to SWIFT.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them