SWIFT network says aware of multiple cyber fraud incidents

SWIFT, the global financial network that banks use to transfer billions of dollars every day, warned its customers on Monday that it was aware of "a number of recent cyber incidents" where attackers had sent fraudulent messages over its system.

>>Reuters
Published : 26 April 2016, 05:02 AM
Updated : 26 April 2016, 05:03 AM

The disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cyber theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank.

SWIFT has acknowledged that the scheme involved altering SWIFT software on Bangladesh Bank's computers to hide evidence of fraudulent transfers.

Monday's statement from SWIFT marked the first acknowledgement that the Bangladesh Bank attack was not an isolated incident but one of several recent criminal schemes that aimed to take advantage of the global messaging platform used by some 11,000 financial institutions.

"SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network," the group warned customers on Monday in a notice seen by Reuters.

The warning, which SWIFT issued in a confidential alert sent over its network, did not name any victims or disclose the value of any losses from the previously undisclosed attacks. SWIFT confirmed to Reuters the authenticity of the notice.

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 financial institutions.

Also on Monday, SWIFT released a security update to the software that banks use to access its network to thwart malware that security researchers with British defence contractor BAE Systems said was probably used by hackers in the Bangladesh Bank heist.

BAE's evidence suggested that hackers manipulated SWIFT's Alliance Access server software, which banks use to interface with SWIFT's messaging platform, to cover their tracks.

BAE said it could not explain how the fraudulent orders were created and pushed through the system.

But SWIFT provided some evidence about how that happened in its note to customers, saying that in most cases the modus operandi was similar.

It said the attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people.

Following the money

Cyber security experts said more attacks could surface as SWIFT's banking clients look to see if their SWIFT access has been compromised.

Shane Shook, a banking security consultant who investigates large financial crime, said hackers were turning to SWIFT and other private financial messaging platforms because such attacks can generate more revenue than going after consumers or small businesses.

"These hacks specifically target financial institutions because smaller efforts result in much larger thefts," he said. "It's much more efficient than stealing from consumers."

Justin Harvey, chief security officer with Fidelis Cybersecurity, said hackers followed the money and would be drawn into such schemes in hopes of emulating a big heist like the one on Bangladesh Bank.

"After the Bangladesh Bank heist became public, every other attacker out there is looking to see if they can do the same," he said.

SWIFT spokesperson Natasha Deteran told Reuters that the commonality in these cases was that internal or external attackers compromised the banks’ own environments to obtain valid operator credentials.

"Customers should do their utmost to protect against this," she said in an email to Reuters.

SWIFT told customers that the security update must be installed by May 12.

"We have made the Alliance interface software update mandatory as it is designed to help banks identify situations in which attackers have attempted to hide their traces - whether these actions have been executed manually or through malware," she said.