Report: Attackers Hacked Nepalese Bank's SWIFT Server$4.4 Million Moved to Accounts in US, UK and Japan via Fraudulent SWIFT Messages
One of Nepal's largest private-sector commercial banks last month suffered a hack attack that led to attackers issuing fraudulent money transfers via the SWIFT interbank messaging service.
NIC Asia Bank, based in Kathmandu, said attackers initiated $4.4 million in fraudulent money transfers from its accounts to accounts in six other countries, including the United States, the United Kingdom, Japan and Singapore, the Himalayan News Service reported Sunday.
But immediately after spotting the suspicious transactions, NIC Asia Bank informed Nepal's central bank, Nepal Rastra Bank, and NRB was able to recover $3.9 million, although $580,000 had already been released to overseas bank accountholders, the news service reports.
Neither NIC Asia Bank or the NRB immediately responded to a request for comment on the bank heist and investigation.
But the attackers reportedly struck the bank during Tihar - aka Deepawali or Diwali - a five-day Hindu festival and one of Nepal's biggest holidays. This year, it ran from Oct. 17 to Oct. 21.
The hack attack reportedly targeted NIC Asia Bank's nostro accounts at Standard Chartered New York and Mashreq Bank New York. Banks hold Nostro accounts at another bank and in a foreign currency to facilitate foreign exchange transactions and trades.
After the suspicious transactions were discovered, NIC Asia Bank commissioned KPMG India to conduct a digital forensic review, which it has shared with both NRB and Nepal Police's Central Investigation Bureau, the Himalayan News Service reports. But the results of the investigation reportedly failed to conclude if the theft resulted from an outside attacker or insider theft.
"CIB has started investigating how the server was hacked," Pushkar Karki, deputy inspector general of Nepal Police and chief of CIB, tells the news service. "Our investigation will reveal whether or not the bank had adopted proper safeguards and which party was involved in the hacking."
More than 11,000 financial institutions across 200 countries and territories use the interbank messaging system from the Brussels-based SWIFT cooperative to transfer funds internationally and domestically, moving billions of dollars per day.
A spokesman for SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, declined to comment on this particular breach.
"SWIFT does not comment on individual entities," the spokesman tells Information Security Media Group. "When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment. We subsequently share relevant information on an anonymized basis with the community. This preserves confidentiality, whilst assisting other SWIFT users to take appropriate measures to protect themselves. We have no indication that our network and core messaging services have been compromised."
Last month's NIC Asia Bank hack attack followed the theft of $60 million from Far Eastern International Bank in Taiwan via fraudulent SWIFT money-moving messages earlier the same month. The bank reportedly detected the suspicious transactions and was able to recover most of the stolen funds, with only $500,000 remaining outstanding (see Report: Malware-Wielding Hackers Hit Taiwanese Bank).
Alert From Nepal's Central Bank
News of the NIC Asia Bank breach first surfaced last month after Nepal Rastra Bank issued an alert to foreign banks asking them to block the fraudulent transfer requests.
"It has been found that transactions of NIC Asia Bank have been carried out from various banks in six countries by hackers using SWIFT, an international banking network," Rajendra Pandit, an NRB spokesman, last month told the Press Trust of India news agency.
"We have already requested the central banks in those countries to stop processing payments to the parties requested by the hackers," Pandit said. "Even payments which have already been made are likely to be retrieved."
Investigation: SWIFT System Misused
Last month, Roshan Kumar Neupane, deputy CEO at NIC Asia Bank, told PTI news agency that the bank took its SWIFT server offline immediately after spotting the suspicious transactions. "We have decided to take down our server for the SWIFT system after suspecting an intrusion into the system, which is completely different from our core banking system where client information and bank balances are maintained," he said. "The financial losses have not been as damaging [or] as feared as the balances in such accounts are very low."
An investigation into the heist launched by Nepal's central bank found that six staffers in NIC Asia Bank's SWIFT department had used a computer that was meant to be used only for SWIFT transactions for other purposes as well, Himalayan News Service reports. It adds that all six employees have since been transferred to other departments.
Follows Bangladesh Bank Heist
The NIC Asia Bank heist follows the February 2016 theft of $81 million from the central bank of Bangladesh's Federal Reserve of New York account. In that incident, attackers installed malware on the bank's computers, which allowed them to subvert SWIFT's client software and inject $951 million in fraudulent money-moving requests into the SWIFT interbank messaging network. Thankfully for the bank, however, typos by the attackers led to most of the requests not being honored, and some others were rolled back.
Following the Bangladesh Bank heist, however, other financial services firms revealed similar attack attempts, some predating the Bangladesh Bank heist and some of which were successful. The revelations triggered a public relations disaster for SWIFT, which began revising its approach to securing the use of its software as well as sharing threat intelligence (see Security Investments Consume SWIFT's Profits).
Multiple security experts and reportedly also the U.S. Justice Department have blamed at least the Bangladesh Bank heist on hackers tied to North Korea.
This story has been updated with comment from SWIFT.