The theft of $81m from Bangladesh Bank was part of a wave of scams attempting to use the SWIFT network
SWIFT, the international network used by 11,000 financial institutions around the world, confirmed it has warned that the recent theft of $81 million (£56m) from Bangladesh’s central bank was part of a wider range of criminal attacks on the network.
The message is the first acknowledgement by SWIFT that other attacks similar to the Bangladesh Bank incident have been attempted.
More SWIFT scams
In a confidential message sent to member banks on Monday, SWIFT said it was aware of other recent cases that had resulted in fraudulent messages being sent over its system.
The incidents didn’t involve any compromise of the SWIFT network itself, but rather seem to have been carried out by attackers who obtained valid credentials from financial institutions and used these to impersonate authorised individuals, SWIFT said.
While the Bangladesh Bank investigation is ongoing, the incident is likely to have followed the same pattern, according to SWIFT. In Bangladesh Bank’s case, the messages ordered the transfer of $951m from the bank’s account at the New York Federal Reserve Bank to entities in the Phillipines and Sri Lanka, although all but $81m of the transfers were blocked.
“SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” the advisory stated.
The message, which has not been made public, was obtained by Reuters, which published an excerpt. SWIFT confirmed the message’s authenticity.
SWIFT also released an update to its Alliance Access client software on Monday, patching a flaw that security researchers said had allowed malware to access and alter the client’s workings.
The malware altered the SWIFT client to delete messages related to the fraudulent transactions in the Bangladesh Bank theft in order to delay their discovery by the bank, computer security researchers at BAE Systems said in a Monday advisory. The malware also deleted printed messages, BAE said.
The update is designed to help banks spot fraudulent message that have been concealed either by malware or manually, according to SWIFT.
Banks using the Alliance software must install the update by 12 May, SWIFT said.
Experts urged banks to reassess their computer security measures in the wake of the Bangladesh Bank theft and warned that as other organisations do so, more attacks are likely to surface.
FireEye, whose Mandiant unit was hired by Bangladesh Bank to investigate the theft, said in a statement that it has already seen attacks against other financial-sector organisations that were likely to have been carried out by the group who carried out the Bangladesh theft.
In its analysis of the malware it believes was involved in the theft, BAE Systems found evidence that the attackers had sophisticated knowledge of the workings of the Alliance client and were likely to attack other institutions.
“This malware was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again,” BAE said in its advisory. “All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”
The company said it appears that “criminals are conducting more and more sophisticated attacks against victim organisations, particularly in the area of network intrusions”.
Computer security researchers have warned of an increased danger of online attacks on banks, in part driven by the possibility of large financial rewards.
Are you a security pro? Try our quiz!