5 SWIFT Cyber Heist InvestigationsInvestigators Find Method Behind SWIFT Attackers' Money-Moving Madness
Since the theft of $81 million from the central bank of Bangladesh came to light in February, investigators have continued to probe similar attacks against other financial services firms, dating back to at least 2013.
See Also: Taking Advantage of EMV 3DS
The attacks involve the messaging system maintained by the Brussels-based, bank-owned cooperative SWIFT - formally known as the Society for Worldwide Interbank Financial Telecommunication - which is designed to guarantee that money-moving messages between banks are authentic. But attackers have been targeting SWIFT-using banks and attempting to inject fraudulent messages designed to move money into attacker-controlled accounts (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).
To date, based on a review of code recovered from attacks, investigators suspect that there have been at least five such incidents - and maybe up to at least a dozen - although it's not clear if they're all the work of the same group:
- Sonali Bank: Bangladesh bank lost $250,000 to attackers in 2013.
- Banco del Austro: $12 million was stolen from Ecuadorian bank in January 2015.
- Bank in the Philippines: As yet unnamed, this bank was attacked in October 2015, security firm Symantec says.
- TPBank: Vietnamese bank blocked the attempted theft of more than $1 million in December 2015.
- Bangladesh Bank: The central bank of Bangladesh lost $81 million to attackers, who attempted to steal nearly $1 billion in their February heist.
Investigations remain ongoing. But in both the Bangladesh Bank attack and the failed attack against Vietnam's TPBank, the attackers conducted extensive analysis in advance, according to a May 20 blog published by Christiaan Beek, a threat intelligence researcher at Intel Security, which includes analysis of the malware allegedly used in the Vietnamese attack that was uploaded to virus-scanning service VirusTotal on Dec. 22, 2015.
As South Korean malware researcher Simon Choi has charted in a useful but quite dense visual, most of the fraudulent SWIFT heists have involved moving money between a number of banks, sometimes also including money exchange services.
Overview of the SWIFT Related Hacks (updated, 31/05/2016) pic.twitter.com/BxQYN9QyT2— Simon Choi (@issuemakerslab) May 31, 2016
The left side of Choi's chart, for example, lists the hardcoded SWIFT business identifier codes for eight banks that Intel Security's Beek found in the malware used to target TPBank:
- UOVBSGSGXXX United Overseas Bank Ltd, Singapore
- ANZBAU3MXXX Australia and New Zealand Banking Group Ltd, Melbourne, Australia
- BOTKJPJTXXX Bank of Tokyo-Mitsubishi UFJ Ltd, Tokyo, Japan
- MHCBJPJTXXX Mizuho Bank Ltd, Tokyo, Japan
- CZNBKRSEXXX Kookmin Bank, Seoul, South Korea
- UNCRITMMXXX Unicredit S.P.A., Milan, Italy
- ICBKVNVNXXX Industrial and Commercial Bank of China, Hanoi branch, Vietnam
- ICBKUS33XXX Industrial and Commercial Bank of China, New York branch, United States
The malware is a Trojanized version of a Foxit PDF reader used by some of the targeted organizations. "The malware reads the SWIFT messages and checks if the sender of the message is one of the listed banks," Beek says. If there's a match, he adds, "the malware can manipulate these messages: deleting transactions, transaction history, and system logs, and prevent the printing of the fraudulent transactions."
Vitali Kremez, a cybercrime intelligence researcher at security firm Flashpoint, notes that "the presence of the [financial institutions'] BIC codes does not ... mean that they were breached." Instead, it's more likely that attackers were routing the stolen money via those banks, or using them for currency conversion.
That's further evidence of attackers' meticulous planning, which appears to have caught SWIFT - and so many SWIFT-using banks - by surprise.