Network Security

SWIFT robbers swoop on Ukrainian bank

A Ukrainian bank has been hit through the SWIFT network.  The as-yet unnamed bank has suffered the fate of so many in the past few months and lost US$ 10 million (£7,459,708) through fraudulent requests made through SWIFT.

The Ukrainian branch of ISACA was called in to investigate the anonymous bank's misfortune.

According to ISACA, as with previous heists of this nature, attackers will usually use publicly available information to find out as much as possible about the bank before breaching it and spending months collecting information on its internal workings. Leveraging that knowledge, the hackers will make their money orders through the banks' SWIFT account, sending millions to far off accounts where it quickly disappears into the ether.

The first major heist of this kind fell upon the Bangladesh Central Bank which lost £56 million.

It wasn't too long before the same heist was attempted on banks in Vietnam, Ecuador and Eastern Europe. Only five such heists have been publicly disclosed but it is believed  that while many more banks have been hit, few have come forward to disclose them.

The Kyiv Post reports Ukrainian ISACA officials as saying that: “At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which hundreds of millions of dollars have been stolen hundreds of millions of dollars".

Aleksey Yankovsky, head of ISACA in Kyiv, further commented to the Post that “Banks now are not sharing such information at all and are afraid of publicity.”

Andrew Patel, senior manager of technological outreach at F-secure told SCMagazineUK.com that different countries have different breach reporting rules, "so it is possible that the full scope of this campaign is not yet known, or at least being reported."

Central to this saga has been the level of culpability SWIFT has in these heists. SWIFT have repeatedly laid the blame at the feet of individual banks, even going so far as to suggest penalties for those members whose security policies were not up to scratch.

While many of those SWIFT members have gone and pointed the finger right back at SWIFT, the system itself was not actually breached.

The robbers have repeatedly, overcome local security measures to get into the SWIFT system, not the other way around.  Furthermore, attackers found ways of hiding the records of their stolen loot, by deleting the transaction logs.

From that initial compromise, the robbers then gained access to the SWIFT international messaging network with stolen credentials and started sending money orders from the targeted bank to the robbers' own accounts.

Patel further added that, "the actors behind these attacks invested a substantial amount of time and effort into learning the system and how to attack it. I wouldn't be surprised if they acquired and set up their own SWIFT test environment in order to study the system and test their attacks. Given the effort it would take to learn this proprietary system, it's possible they have multiple different attacks up their sleeves. They're simply getting the most out of the investment they made."

While there is little to say conclusively about the identities of the attackers, the malware used to initially breach the SWIFT affiliates' local servers links the sprawling attacks. Various analyses of the heists claim that the malware used shares great similarities with that used by the Lazarus group, a purportedly North Korean APT group with its fingerprints all over the Sony Hacks of 2014.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.