The cyber criminals who stole $81 million from the Central Bank of Bangladesh have been linked to a second attack in Asia.
Investigators at BAE Systems have discovered that a variation of the malware used to gain access to the central bank’s system and issue instructions to transfer money to various accounts in the Philippines may have been deployed against an unnamed commercial bank in Vietnam.
The Bangladesh attack in February hinged on poor security at the central bank that allowed custom malware to infiltrate local SWIFT Alliance Access software running on its infrastructure. The SWIFT network, core messaging services and software have not been compromised at any point.
Further investigations revealed that the Bangladesh attack might not be an isolated case. BAE researchers Sergei Shevchenko and Adrian Nish wrote in a blog post on 13 May: “Our research into malware used on SWIFT-based systems running in banks has turned up multiple bespoke tools used by a set of attackers.”
“What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign. This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base.”
SWIFT moved quickly to reassure users of its messaging service, issuing a statement ahead of BAE’s blog post on 13 May.
“First and foremost we would like to reassure you again that the SWIFT network, core messaging services and software have not been compromised,” SWIFT said.
“We have however now learnt more about a second instance in which malware was used—again directed at banks’ secondary controls, but which in this instance targets a PDF Reader used by the customer to check its statement messages.”
SWIFT went on to explain: “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process.”
“In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks—knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”
SWIFT advised users to “urgently review controls in their payments environments, to all their messaging, payments and ebanking channels”.
“This includes everything from employee checks to password protection to cyber defences. We recommend that customers consider third party assurance reviews and, where necessary, ask your correspondent banks and service bureaux to work with you on enhanced arrangements.”
SWIFT also urged all users “to be forthcoming when these issues occur” so that authorities can act quickly to track down the culprits.
.jpg)