Malicious insiders plotting coordinated cyber attacks against banks, says SWIFT

A Vietnamese bank was the second victim.

Banks should be ready to face a spate of well-planned cyber heists instigated by sophisticated attackers with “deep knowledge” of vulnerabilities in bank transfer systems, SWIFT said in a letter to its customers.

The letter follows reports that Vietnam’s Tien Phong Bank had almost fallen prey to hackers attempting to transfer $1.36 million to a Slovenian bank in late 2015. The incident marks the second heist of its kind, including the high-profile attack on Bangladesh Bank in February 2016. 

“Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks,” SWIFT said in the statement.

In both cases, attackers took advantage of vulnerabilities in each bank’s funds transfer initiation environments. The SWIFT network, core messaging services and software has not been compromised, the provider said.

“The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud,” SWIFT noted.

The statement added that attackers have a “deep and sophisticated” knowledge of specific operational controls within the targeted banks. This knowledge may have been gained from malicious insiders or cyber attacks, or a combination of both, SWIFT said.

Andrey Dulkin, Senior Director of Cyber Innovation, CyberArk Labs noted that TPbank may have been targeted simply because attackers are “testing the waters”.

“This could mean exploring the process of sending fraudulent transactions and gaining insight into bank network-level operations, including lateral movement and execution on target servers, and whether the whole route, include actually getting the money, works,” he said.

The attack is not unique to the SWIFT network, Dulkin added, as similar attacks have been discovered in Russia as well as attacks on multiple organizations around the world to send money transfer commands from machines within the network to the banks that manage the organizations’ accounts.

“An attacker who hijacks legitimate credentials inside the network can send these commands by appearing to operate as a legitimate user, thereby avoiding detection. The two main hurdles for attackers to execute their strategy are acquiring credentials and expertise in banking systems. That expertise can be easily acquired through using privileged accounts to conduct reconnaissance including studying legitimate user actions, or involving someone familiar with the specific banking systems in the attack,” he said.