SWIFT, a cooperative owned by 3,000 financial institutions,
confirmed to Reuters that it was aware of malware targeting its
client software. Its spokeswoman Natasha Deteran said SWIFT would
release on Monday a software update to thwart the malware, along
with a special warning for financial institutions to scrutinize
their security procedures.
The new developments now coming to light in the unprecedented
cyber-heist suggest that an essential lynchpin ofthe global
financial system could be more vulnerable than previously understood
to hacking attacks, due to the vulnerabilities that enabled
attackers to modify SWIFT’s clientsoftware.
Deteran told Reuters on Sunday that it was issuing the software
update “to assist customers in enhancing their security and to spot
inconsistencies in their local database records." She said "the
malware has no impact on SWIFT’s network or core messaging
services."
The software update and warning from Brussels-based Swift, or the
Society for Worldwide Interbank Financial Telecommunication, come
after researchers at BAE <BAES.L>, which has a large cyber-security
business, told Reuters they believe they discovered malware that the
Bangladesh Bank attackers used to manipulate SWIFT client software
known as Alliance Access.
BAE said it plans to go public on Monday with a blog post about its
findings concerning the malware, which the thieves used to cover
their tracks and delay discovery of the heist.
The cyber criminals tried to make fraudulent transfers totaling $951
million from the Bangladesh central bank's account at the Federal
Reserve Bank of New York in February.
Most of the payments were blocked, but $81 million was routed to
accounts in the Philippines and diverted to casinos there. Most of
those funds remain missing.
Investigators probing the heist had previously said the
still-unidentified hackers had broken into Bangladesh Bank computers
and taken control of credentials that were used to log into the
SWIFT system. But the BAE research shows that the SWIFT software on
the bank computers was probably compromised in order erase records
of illicit transfers.
The SWIFT messaging platform is used by 11,000 banks and other
institutions around the world, though only some use the Alliance
Access software, Deteran said.
SWIFT may release additional updates as it learns more about the
attack in Bangladesh and other potential threats, Deteran said. It
is also reiterating a warning to banks that they should review
internal security.
“Whist we keep all our interface products under continual review and
recommend that other vendors do the same, the key defense against
such attack scenarios is that users implement appropriate security
measures in their local environments horse-guard their systems,”
Deteran said.
Adrian Nish, BAE's head of threat intelligence, said he had never
seen such an elaborate scheme from criminal hackers.
"I can't think of a case where we have seen a criminal go tothe
level of effort to customize it for the environment they were
operating in," he said. "I guess it was the realization that the
potential payoff made that effort worthwhile."
A Bangladesh Bank spokesman declined comment on BAE'sfindings.
A senior official with the Bangladesh Police’s Criminal
Investigation Department said that investigators had not found the
specific malware described by BAE, but that forensics experts had
not finished their probe.
Bangladesh police investigators said last week that the bank's
computer security measures were seriously deficient, lacking even
basic precautions like firewalls and relying onused, $10 switches in
its local networks.
[to top of second column] |
Still, police investigators told Reuters in an interview that both
the bank and SWIFT should take the blame for the problems. "It was
their responsibility to point it out but we haven't found any
evidence that they advised before the heist," saidMohammad Shah
Alam, head of the Forensic Training Institute ofthe Bangladesh
police's criminal investigation department, referring to SWIFT.
THWARTING FUTURE ATTACKS
The BAE alert to be published on Monday includes some technical
indicators that the firm said it hopes banks could useto thwart
similar attacks. Those indicators include the IPaddress of a server
in Egypt the attackers used to monitor useof the SWIFT system by
Bangladesh Bank staff.
The malware, named evtdiag.exe, was designed to hide the hacker's
tracks by changing information on a SWIFT database atBangladesh Bank
that tracks information about transfer requests, according to BAE.
BAE said that evtdiag.exe was likely part of a broader attack
toolkit that was installed after the attackers obtained
administrator credentials.
It is still not clear exactly how the hackers ordered the money
transfers.
Nish said that BAE found evtdiag.exe on a malware repository and had
not directly analyzed the infected servers. Such repositories
collect millions of new samples a day from researchers, businesses,
government agencies and members of the public who upload files to
see if they are recognized asmalicious and help thwart future
attacks.
Nish said he was highly confident the malware was used inthe attack
because it was compiled close to the date of the heist, contained
detailed information about the bank's operations and was uploaded
from Bangladesh.
While that malware was specifically written to attack Bangladesh
Bank, "the general tools, techniques and procedures used in the
attack may allow the gang to strike again,"according to a draft of
the warning that BAE shared with Reuters.
The malware was designed to make a slight change to code ofthe
Access Alliance software installed at Bangladesh Bank, giving
attackers the ability to modify a database that logged the bank's
activity over the SWIFT network, Nish said.
Once it had established a foothold, the malware could delete records
of outgoing transfer requests altogether from the database and also
intercept incoming messages confirming transfers ordered by the
hackers, Nish said.
It was able to then manipulate account balances on logs toprevent
the heist from being discovered until after the funds had been
laundered.
It also manipulated a printer that produced hard copies oftransfer
requests so that the bank would not identify the attack through
those printouts, he said.
(Reporting by Jim Finkle in Boston. Additional reporting by Serajul
Quadir in Dhaka.; Editing by Jonathan Weber and Martin Howell)
[© 2016 Thomson Reuters. All rights
reserved.]
Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|