Bank security is getting better, but the robbers’ tools and masks are also improving
SWIFT, the global payment orders provider, has been subjected to yet another hacking attempt, according to security firm Symantec. The first targeted Bangladesh Bank, where hackers got away with stealing $81 million.
The hackers this time around, using a Trojan Horse dubbed “Odinaff,” have been implicated in actions against Symantec customers and their malware would allow them to breach banks’ computers to enter SWIFT systems and then use, “malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions” rather than hack SWIFT’s own systems directly.
Since 2015, dozens of banks worldwide have lost hundreds of millions of dollars due to such cyber attacks. While it is plausible that some of these were made possible with insider help, outsiders are coordinating the lion’s share using specially built malware. Most of these tools enter via spear-phishing actions against bank employees, who inadvertently infect their company’s systems with the malware when opening contaminated digital media.
The malware can then go into bank computers and disguise fraudulent requests for money so that SWIFT sends them along without raising any red flags. In short, the hacks themselves are not on SWIFT: They are on banks’ own systems which, once penetrated, allow hackers to make full use of the system and bury records of their presence.
Need for coordinated responses
The worst victim of this sort of hack to date is Bangladesh Bank, where hackers using “Backdoor” Trojan Horses got away with $81 million before security experts caught on and prevented an additional $870 million from being stolen. The bank had previously been subjected to a similar, but much smaller, cyber attack in 2013. To date, about half of the money has been recovered.
Red flags at Bangladesh Bank (and other institutions) were thrown up, including – incredibly – a simple typo. But it seems that communications between involved banks broke down along the way, as they did not initially act on one another’s concerns fast enough to stop the thefts.
Reuters had noted that lack of trust among the major banks which sit on the consortium’s board has hindered the cyber security response. And SWIFT has stated in the past, “It is the responsibility of the banks [to ensure] there is nothing wrong going on in their part of the chain.”
Suspicion over the Bangladesh Bank episode has fallen on Filipino and Chinese businessmen who may have used casinos to launder the money, as well as on North Korea. The similarities that Symantec found between the malware used in the Bangladesh Bank hack and that used in the 2014 Sony data breach strongly suggest such a link.
This most recent assault on SWIFT users is not believed to have any ties to a nation-state, though, and may be instead connected to the Carbanak cyber criminal collective that operates throughout Russia and Eastern Europe.
It not clear if the original malware used against SWIFT users was actually built by a North Korean organization, or by a third party that is, at a minimum, willing to work for the communist regime. The malware makers known as the Lazarus group built these tools (that much is known) and they have turned up in multiple attacks that suggest North Korean interests are in play, as well as incidents where the picture is less clear.
Whether Lazarus is just a proxy of the North Korean regime or its own master, though, it continues to make its wares available for interested parties, one of which is North Korea and another the group(s) that have been going after SWIFT. There is a lucrative market for these tools, sought by government spies and white collar criminals alike.
North Korea’s motives for hacking into banks would fall into both categories: to undermine the economies of its enemies and to rake in money for the state.
One of the best counters, aside from imposing universal standards for local interfaces connecting to SWIFT and improved authentication tools, is to put programs in place to identify suspicious transfers. According to EasySolutions, behavioral analysis helps deter fraud by, “Determining characteristics such as the day of the month on which transfers are usually sent from individual accounts would have allowed alerts to be sent to bank agents so they could look into the details more carefully.”