The disclosure came as law enforcement authorities in Bangladesh
and elsewhere investigated the February cyber theft of $81 million
from the Bangladesh central bank account at the New York Federal
Reserve Bank. SWIFT has acknowledged that the scheme involved
altering SWIFT software on Bangladesh Bank's computers to hide
evidence of fraudulent transfers.
Monday's statement from SWIFT marked the first acknowledgement that
the Bangladesh Bank attack was not an isolated incident but one of
several recent criminal schemes that aimed to take advantage of the
global messaging platform used by some 11,000 financial
"SWIFT is aware of a number of recent cyber incidents in which
malicious insiders or external attackers have managed to submit
SWIFT messages from financial institutions' back-offices, PCs or
workstations connected to their local interface to the SWIFT
network," the group warned customers on Monday in a notice seen by
The warning, which SWIFT issued in a confidential alert sent over
its network, did not name any victims or disclose the value of any
losses from the previously undisclosed attacks. SWIFT confirmed to
Reuters the authenticity of the notice.
SWIFT, or the Society for Worldwide Interbank Financial
Telecommunication, is a cooperative owned by 3,000 financial
Also on Monday, SWIFT released a security update to the software
that banks use to access its network to thwart malware that security
researchers with British defense contractor BAE Systems said was
probably used by hackers in the Bangladesh Bank heist.[L2N17S0RG]
BAE's evidence suggested that hackers manipulated SWIFT's Alliance
Access server software, which banks use to interface with SWIFT's
messaging platform, to cover their tracks.
BAE said it could not explain how the fraudulent orders were created
and pushed through the system.
But SWIFT provided some evidence about how that happened in its note
to customers, saying that in most cases the modus operandi was
It said the attackers obtained valid credentials for operators
authorized to create and approve SWIFT messages, then submitted
fraudulent messages by impersonating those people.
FireEye, the internet security company whose Mandiant unit was hired
by Bangladesh Bank to help investigate the heist, said the same
group behind that hack had probably attacked other financial
"FireEye has observed activity in other financial services
organizations that is likely by the same threat actor behind the
cyber attack on the Bank of Bangladesh," Vivek Chudgar, Mandiant's
senior director for the Asia Pacific said in a statement emailed to
FireEye declined to go into detail.
Rakesh Asthana, the World Informatix Cyber Security CEO, who is
overseeing Bangladesh Bank's probe into the hack, declined to
discuss the other attacks that SWIFT referred to.
[to top of second column]
He did, though, urge banks to conduct independent security
assessments to make sure their networks are secure and prevent
“SWIFT builds on security practices established by the customer
itself and therefore it is imperative that in the wake of this
attack, customers using SWIFT Alliance Access must strengthen their
cyber security posture,” Asthana said
FOLLOWING THE MONEY
Cyber security experts said more attacks could surface as SWIFT's
banking clients look to see if their SWIFT access has been
Shane Shook, a banking security consultant who investigates large
financial crime, said hackers were turning to SWIFT and other
private financial messaging platforms because such attacks can
generate more revenue than going after consumers or small
"These hacks specifically target financial institutions because
smaller efforts result in much larger thefts," he said. "It's much
more efficient than stealing from consumers."
Justin Harvey, chief security officer with Fidelis Cybersecurity,
said hackers followed the money and would be drawn into such schemes
in hopes of emulating a big heist like the one on Bangladesh Bank.
"After the Bangladesh Bank heist became public, every other attacker
out there is looking to see if they can do the same," he said.
SWIFT spokeswoman Natasha Deteran told Reuters that the commonality
in these cases was that internal or external attackers compromised
the banks’ own environments to obtain valid operator credentials.
"Customers should do their utmost to protect against this," she said
in an email to Reuters.
SWIFT told customers that the security update must be installed by
"We have made the Alliance interface software update mandatory as it
is designed to help banks identify situations in which attackers
have attempted to hide their traces - whether these actions have
been executed manually or through malware," she said.
(Reporting by Jim Finkle in Boston; Additional reporting by Serajul
Quadir in Dhaka; Editing by Jonathan Weber, Martin Howell and Peter
[© 2016 Thomson Reuters. All rights
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.