The cyber criminals who stole $81 million from the Central Bank of Bangladesh probably pulled it off using malware, according to BAE Systems.
According to researchers at BAE, the attacker, or attackers, used malware to gain access to the central bank’s system and instructed an American bank to transfer money to various accounts in the Philippines.
The attackers attempted to steal a total of $951 million, most of which was blocked before it left the bank. Of the $101 million that was successfully transferred, only $20 million has been recovered.
In a blog post, Sergei Shevchenko, a security researcher at BAE Systems, said: “The technical details of the attack have yet to be made public, however, we’ve recently identified tools uploaded to online malware repositories that we believe are linked to the heist.”
He explained: “The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.”
SWIFT responded to the findings, saying that it is aware of a malware intended to reduce institutions’ ability to detect fraudulent transactions.
However, SWIFT maintained that this has no direct impact on SWIFT’s core messaging service and network.
Shevchenko said in the blog: “The tool was custom-made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.”
He added: “The general tools, techniques and procedures used in the attack may allow the gang to strike again.”
In a statement, SWIFT said the malware can only be installed “on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security”.
SWIFT has now developed an additional facility to help banks improve their security and spot inconsistencies in their local database records.
The statement went on to say: “The key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems—in particular those used to access SWIFT—against such potential security threats.”
“Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”
Shevchenko said: “All financial institutions that run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”
He added: “The wider lesson learned here may be that criminals are conducting more and more sophisticated attacks against victim organisations, particularly in the area of network intrusions.”
This story was clarified to highlight the fact that SWIFT’s systems and services were not compromised in any way, nor were they used or manipulated by any criminal enterprise.
.jpg)