SWIFT Global Interbank Exchange System Warns of 2nd Attack

Cites "Wider, Highly Adaptive Campaign Targeting Banks"

Expert corner submission by:
Andrew Komarov, InfoArmor
Craig Kensek, Lastline
Brad Bussie, STEALTHbits Technologies

The Swift Interbank monetary exchange system has just warned of a 2nd cyber attack, following last month's $81 Bil loss by the Bangladesh Central Bank, in what it calls a “wider and highly adaptive campaign targeting banks." The leading money-transfer messages system has notified its approximately 11,000 member banks worldwide of this most recent case of hackers bypassing the system's defenses and risk controls in an attempt to transfer funds illegally.

Swift officials note: “attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both” and said this attack potentially indicates “a wider and highly adaptive campaign targeting banks”.

Insider Indicators:

Andrew Komarov, Chief Intelligence Officer with InfoArmor, sees indications of insider involvement. "Such types of transactions almost certainly couldn’t be organized without the help from either insiders or traders very familiar with operational controls in the affected institutions. The speed and smoothness of the whole process shows that such a scheme was well prepared and the bad actors probably used very trusted contacts to organize it, and not typical “money mules services” from the underground. We continue to be faced with these cases where the role an insider can be very meaningful in large fraudulent schemes, and parts of the Asian region are especially highly susceptible because of the relatively poor due diligence of many employees."

Lastline's Craig Kensek agreed, noting: "This almost sounds as if someone who has worked in the financial industry has gone to the dark side. We may need to go to "n" levels of controls, with "n" being greater than two. One would think that a DLP solution would flag transfers greater than a certain amount that were being made to certain countries or to IP addresses, especially if the receiver never or relatively rarely had funds of that size transferred before. Perhaps a $20M transfer to an individual account wasn't a large enough anomaly (or wasn't an anomaly at all). The fact that the transfer was being made to a questionable locale could and probably should have resulted in a red flag being raised."

He recommends that at a minimum, Swift immediately reexamine their processes and work with outside experts to crack their critical systems and understand their vulnerabilities.

Could complacency have played a role?

"This unfortunate event is another example of a longstanding set of processes that haven't caught up with the sophistication of attackers," said Brad Bussie, Director of Product Management, STEALTHbits Technologies. "When you examine the method used to transfer the funds, you will find a human element that is still present. Initiation of transfers is still based on trust. The bank is trusting that the user/batch is who they say they are. The problem is that we seem to be missing a key mitigation strategy here; Multi-factor authentication. The attack could have been thwarted with a simple process of authentication using something you have, something you know, and something you are. We need our financial institutions to ramp up security and add additional layers of authentication in several dated processes like funds transfer. Until we embrace digital fingerprints, you will never know if you can really trust the entity on the other end."

At the very least, notes Lastline's Kensek, "Swift (if they haven't already) needs to create and use a list of trusted IP addresses that larger funds can go to without 'eyes on' approvals."