After banks get hacked, what's the best way to get them to come clean and share information about their attackers' tools and techniques, to help other financial firms avoid becoming the next victim? Start by making the hacked bank an offer of expert assistance that they can't afford to refuse.
At least, that seems to be part of the impetus behind interbank messaging network SWIFT creating an internal digital forensics and customer security intelligence team, as well as contracting with cybersecurity specialists BAE Systems and Fox-IT to assist. SWIFT says the group will help hacked banks investigate intrusions and fraudulent SWIFT transfers as well as share attack-related intelligence - anonymously - with other banks (see SWIFT Deduction: Assume You've Been Hacked).
"To share attack intelligence ... SWIFT first needs more hacked banks to come clean."
The bank-owned, Brussels-based SWIFT cooperative, formally known as the Society for Worldwide Interbank Financial Telecommunication, announced the launch of the new team on July 11 as part of a customer security program unveiled by CEO Gottfried Leibbrandt in May. The program was a reaction to persistent security criticism leveled at SWIFT in the wake of the $81 million heist from Bangladesh Bank earlier this year - in which attackers used fraudulent SWIFT messages to drain funds from the bank's Federal Reserve of New York account - and several other, similar incidents involving other banks.
SWIFT says its new forensics and customer security intelligence team will gather and feed anonymized intelligence to SWIFT-using banks to help them spot and block attacks. The team will also offer assistance to any banks conducting internal investigations on attacks that appear to be related to SWIFT's products or services, in part, by conducting in-depth digital forensic investigations, backed by the two cybersecurity firms that have extensive experience in offering post-breach incident response services to hacked organizations.
The choice of BAE Systems is notable because that firm published pioneering research into the malware that was used against Bangladesh Bank. In May, digital forensic investigators at BAE Systems reported that the malware matched code used against Vietnam's TPBank in late 2015 (see 5 SWIFT Cyber Heist Investigations). Part of the malware's communication channel also matched attack infrastructure that hadn't been used - or seen - since the 2014 attack against Sony Pictures Entertainment, leading some security experts to conclude that the government of North Korea may be behind some recent SWIFT-related fraud incidents.
A SWIFT spokeswoman wasn't immediately able to confirm if SWIFT's help to its customers will come for free. Both BAE Systems and Fox-IT declined to comment further on the arrangement.
Promise: Better Intelligence
SWIFT has promised to share anonymized attack-related intelligence not just with its 11,000 bank customers, but also with relevant oversight bodies, information sharing and analysis centers as well as other digital forensic investigation firms (see Federal Reserve Watchdog Probes Banks' Cybersecurity).
To share attack intelligence, however, SWIFT first needs more hacked banks to come clean. To date, at least six banks that have confirmed or suspected SWIFT-related hack attacks have come forward, although anecdotal reports say that a dozen or more related investigations may now be ongoing. Yet some of these hack attacks have only been revealed months after the incident. That was the case for Ecuador's Banco del Austro, which lost $12.2 million after hackers accessed the bank's systems and issued fraudulent SWIFT messages. The attack occurred in January 2015 but only came to light after BDA filed a lawsuit against San Francisco-based Wells Fargo in January, accusing the bank of failing to spot the fraud or to return the full amount that was stolen. Wells Fargo, meanwhile, has fired back, saying it honored valid requests that it had received via the SWIFT messaging system (see Improving Fraud Prevention After SWIFT-Related Heists).
SWIFT has previously said that customers are responsible for securing their own IT environment and are required to report any SWIFT-related breaches to the cooperative (see Banks With Bad Cybersecurity Could Face SWIFT Justice).
But as the BDA hack demonstrates - SWIFT said it only learned of the attack in May, after Reuters first reported on the related lawsuit - not all financial services firms have been complying with those supposed requirements.
Will More Banks Come Clean?
Meanwhile, SWIFT has been continuing to urge targeted banks to come forward.
"Customer intelligence, including intelligence related to attacks that have ultimately failed, is crucial to helping us continue protecting our community. Information we have already received from impacted banks has allowed us to identify new malware and to publish related [indicators of compromise], which are helping to protect the wider community," says SWIFT CTO Craig Young in a statement. "We therefore continue to remind customers that they are obliged to inform SWIFT of such incidents as soon as possible, and to proactively share all relevant information with us so we can assist all SWIFT users."
Now SWIFT is sweetening that request with the offer of incident response assistance and information sharing. But will that be enough to entice more banks to share?