Fraud , Payments Fraud

5 SWIFT Cyber Heist Investigations

Investigators Find Method Behind SWIFT Attackers' Money-Moving Madness
5 SWIFT Cyber Heist Investigations

Since the theft of $81 million from the central bank of Bangladesh came to light in February, investigators have continued to probe similar attacks against other financial services firms, dating back to at least 2013.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The attacks involve the messaging system maintained by the Brussels-based, bank-owned cooperative SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - which is designed to guarantee that money-moving messages between banks are authentic. But attackers have been targeting SWIFT-using banks and attempting to inject fraudulent messages designed to move money into attacker-controlled accounts (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).

To date, based on a review of code recovered from attacks, investigators suspect that there have been at least five such incidents - and maybe up to at least a dozen - although it's not clear if they're all the work of the same group:

  • Sonali Bank: Bangladesh bank lost $250,000 to attackers in 2013.
  • Banco del Austro: $12 million was stolen from Ecuadorian bank in January 2015.
  • Bank in the Philippines: As yet unnamed, this bank was attacked in October 2015, security firm Symantec says.
  • TPBank: Vietnamese bank blocked the attempted theft of more than $1 million in December 2015.
  • Bangladesh Bank: The central bank of Bangladesh lost $81 million to attackers, who attempted to steal nearly $1 billion in their February heist.

Investigations remain ongoing. But in both the Bangladesh Bank attack and the failed attack against Vietnam's TPBank, the attackers conducted extensive analysis in advance, according to a May 20 blog published by Christiaan Beek, a threat intelligence researcher at Intel Security, which includes analysis of the malware allegedly used in the Vietnamese attack that was uploaded to virus-scanning service VirusTotal on Dec. 22, 2015.

As South Korean malware researcher Simon Choi has charted in a useful but quite dense visual, most of the fraudulent SWIFT heists have involved moving money between a number of banks, sometimes also including money exchange services.

The left side of Choi's chart, for example, lists the hardcoded SWIFT business identifier codes for eight banks that Intel Security's Beek found in the malware used to target TPBank:

  • UOVBSGSGXXX United Overseas Bank Ltd, Singapore
  • ANZBAU3MXXX Australia and New Zealand Banking Group Ltd, Melbourne, Australia
  • BOTKJPJTXXX Bank of Tokyo-Mitsubishi UFJ Ltd, Tokyo, Japan
  • MHCBJPJTXXX Mizuho Bank Ltd, Tokyo, Japan
  • CZNBKRSEXXX Kookmin Bank, Seoul, South Korea
  • UNCRITMMXXX Unicredit S.P.A., Milan, Italy
  • ICBKVNVNXXX Industrial and Commercial Bank of China, Hanoi branch, Vietnam
  • ICBKUS33XXX Industrial and Commercial Bank of China, New York branch, United States

The malware is a Trojanized version of a Foxit PDF reader used by some of the targeted organizations. "The malware reads the SWIFT messages and checks if the sender of the message is one of the listed banks," Beek says. If there's a match, he adds, "the malware can manipulate these messages: deleting transactions, transaction history, and system logs, and prevent the printing of the fraudulent transactions."

Vitali Kremez, a cybercrime intelligence researcher at security firm Flashpoint, notes that "the presence of the [financial institutions'] BIC codes does not ... mean that they were breached." Instead, it's more likely that attackers were routing the stolen money via those banks, or using them for currency conversion.

That's further evidence of attackers' meticulous planning, which appears to have caught SWIFT - and so many SWIFT-using banks - by surprise.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network