Under siege from hackers looking to steal hundreds of millions from its user base, the financial messaging services provider known as SWIFT has been pressuring, cajoling and even threatening its member banks to deploy better defenses and share cyber intelligence.
With a corporate customer base that includes banks in developing countries with inferior cyber defense practices, the Belgium-based cooperative knows it can't afford to be passive. Like a protective mother, SWIFT intends to make sure that its users take their medicine – because it knows what's best for them.
SWIFT Rallies its Customer Base
Known in full as the Society for Worldwide Interbank Financial Telecommunication, SWIFT adopted its newly aggressive cybersecurity posture shortly after an infamous February 2016 cyberheist in which hackers brazenly scored $81 million by impersonating Bangladesh's central bank on the financial messaging system and then fraudulently requesting money transfers from the U.S. Federal Reserve to accounts in the Philippines and Sri Lanka.
In the months that followed, a series of similar attacks came to light, as cybercrooks prominently targeted additional banks in locations ranging from Ecuador to Vietnam. Although the SWIFT system itself was not hacked in these cases, there was a common thread: attackers abused the service provider's operations by compromising its member banks and stealing their SWIFT credentials.
This prompted SWIFT in May 2016 to launch a Customer Security Program (CSP) designed to get members to comply with recommended cybersecurity guidelines, practice two-factor authentication, and adopt updated SWIFT software featuring integrity verification and alert capabilities. The program also led to the formation of a Customer Security Intelligence team that encourages member banks to share information on threats and possible network intrusions.
SWIFT officials, for their part, appear to be cautiously optimistic that their efforts have staved off additional thefts.
“The proactive intelligence-gathering and forensic work being undertaken by our Customer Security Intelligence team, as well as customers' active use of our Indicators of Compromise (IOCs) and their deployment of our latest software updates… [and] the heightened customer vigilance and improved information flow between customers and SWIFT have all contributed to frustrating recent attack efforts,” said Stephen Gilderdale, managing director at SWIFT, and head of its Customer Security Program.
“Fortunately, a good number of recent attacks have been ultimately thwarted,” Gilderdale continued in an interview with SC Media. “In a few instances the correspondents have observed and stopped suspicious messages; in others, the attacks have been identified and the frauds ultimately prevented as a direct result of measures introduced through the CSP.”
In July 2016, SWIFT hired the UK-based defense and security company BAE Systems and the Netherlands-based cybersecurity services provider Fox-IT to support its Customer Security Intelligence Team initiative.
“As a result of this [Customer Security] Program, and potentially also in part because of the noise around… financial sector cyber risks, we have seen an uptick in the cyber defense measures being taken by the financial industry,” said Christof Geirnaert, cybersecurity specialist at Fox-IT, in an interview with SC Media. “We note that they are especially focused on determining whether they are really in control rather than just simply compliant.”
If true, then this is no small breakthrough, especially when considering the cumulative effect each successive cyberheist attempt has had on SWIFT and its customers.
“I believe that there has been an impact [on] confidence in SWIFT and their inability to take prompt and effective action to cyber-attacks,” said Patricia Hines, a corporate banking senior analyst at Celent, a research and consulting firm specializing in IT in the global financial services industry.
Moreover, “It seems likely that the original malware has been shared among other malicious actors, and without a significant change to the underlying SWIFT programming code base, that malware will continue to be effective,” Hines continued, in an interview with SC Media.
Indeed, intelligence points to multiple attack groups attempting to compromise SWIFT customers' local environments. Investigators have also turned up clues, including malware signatures, that tie the original Bangladesh's central bank attack back to several entities, including the North Korea-based Lazarus advanced persistent threat group that prominently attacked Sony, a Pakistani group and a third unknown player that actually executed the heist.
An Escalating and Evolving Threat
SWIFT warned its members in a November 2016 letter that the threat against them was escalating, as attackers continued to tweak their methods, according to a Reuters report. “In recent attacks we have seen multiple adaptations of the known modus operandi, as well as different types of malware,” said Gilderdale. (One malware used in the Bangladesh bank heist, dubbed Banswift, was used by attackers to modify banking transaction records in order to cover up their tracks. Check Point Software Technologies recently recreated this technique and published its observations in a January 2017 blog post.)
“I wouldn't be surprised if the criminals had additional tools in the toolbox,” opined Doug Johnson, senior vice president, payments and cybersecurity policy, at the American Bankers Association, a Washington D.C.-based banking trade association. “But only to the extent they need to use them will they pull them out,” he added, in an interview with SC Media.
Clearly, potential victims must keep pace with the evolving threat, if not get ahead of it. However, one of SWIFT's major challenges has been that the attackers have strategically targeted banks in countries with emerging economies, where IT infrastructure and cyber hygiene are below global standards.
According to Johnson, it's normal for “cybercriminals to search for the weakest links.”
To spur improvement in this area, the cooperative has had to get tough at times. In an August 2016 letter, SWIFT mandated that all clients install the latest release of a software solution that is used for interfacing with its messaging system. Those who failed to deploy the newest version, which improved transparency as well as compliance mechanisms for security updates, risked being reported to regulators, authorities and partner banks, the cooperative warned. SWIFT has also published a set of security controls that all customers must comply with by Q2 2017.
“As SWIFT doesn't have regulatory authority over the financial institutions… in its networks, the organization walks a fine line with its member organizations” when threatening to report them, said Hines. As an alternative, Hines suggested that SWIFT change its member agreement language to stipulate that any customers that fail to meet mandated requirements will be blocked from network connectivity.
Johnson said that SWIFT's threat wasn't a necessary incentive for American banking institutions because they are already well-protected against the kind of attacks experienced by the Bangladesh bank and other targets, having experienced similar attacks in years past.
SWIFT's recommended measures, Johnson noted, are already “consistent with what our regular requirements are.” The recommendations generally boil down to “basic computer hygiene,” he added. “I think our financial institutions recognize these not as regulatory requirements as much as business imperatives.” He could not speak for financial institutions in other countries, however.
Hines agreed that SWIFT's recommendations are not unreasonable, noting that “large to mid-tier banks in advanced economies already perform periodic security audits, penetration tests, and self-assessments to ensure their facilities… meet or exceed established industry standards for detecting and preventing cybersecurity breaches.”
The Road Ahead
Generally, improved cyber policies and procedures help protect against external intruders, but also insider threats, which investigators believe played a role in the $81 million Bangladesh cyber heist. (Technically, $101 million was stolen, but $20 million was later recovered.) According to Reuters, local Bengladeshi authorities suspect that bank employees may have acted in a conspiracy to deliberately expose their workplace's systems to attack. Arrests are reportedly expected to take place soon.
But that does not mean the suspected masterminds engineering the attacks will be brought to justice. And even if they are, new threats are always emerging.
“I think that's always going to be a challenge,” said Johnson. “Cybersecurity is never-ending. It's something that requires eternal vigilance and complete diligence to really understand… new threats.” And how to stop them.
“Overall the majority of the organizations have a clear and strong commitment towards cybersecurity. As with every sector, there are organizations ahead of the curve and others just slightly behind,” said Geirnaert. “Generally though, the need for cybersecurity has been acknowledged for a long time already within the financial sector. Therefore, this is one of the more mature sectors in terms of cybersecurity practices and hygiene.”