Security researchers at British defense contractor BAE Systems say that the cyber attackers probably used the SWIFT financial platform in order to steal $81 million from the Bangladesh central bank.
SWIFT lies at the heart of the global financial system and is owned by 3,000 financial institutions. The platform said that it was aware of hackers trying to get into its client software using malware, according to Reuters.
Spokeswoman says SWIFT will update software
SWIFT spokeswoman Natasha Deteran said that the company would release a software update designed to counteract the malware. Deteran said that financial institutions would be asked to take special security measures.
It is thought that the huge Bangladesh cyber-heist has revealed previously undetected weaknesses in the SWIFT system.
Deteran told Reuters on Sunday that the software update was designed “to assist customers in enhancing their security and to spot inconsistencies in their local database records.” She said “the malware has no impact on SWIFT’s network or core messaging services.”
SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, issued the update after BAE Systems researchers say they found malware used to change SWIFT client software. The researchers are due to publish a blog post on the matter, saying that the malware covered up evidence of the heist.
Audacious cyber-heist routed money to the Philippines
The hackers made transfers for a total of $951 million from the Bangladesh central bank, however most of them were blocked. The $81 million that was stolen was sent to accounts in the Philippines, where it was then diverted to casinos. Most of the money is still missing.
While 11,000 banks and financial institutions use the SWIFT messaging platform, only some use the client software known as Alliance Access.
“Whist we keep all our interface products under continual review and recommend that other vendors do the same, the key defense against such attack scenarios is that users implement appropriate security measures in their local environments horse-guard their systems,” Deteran said.
Security researchers note complicated scheme
Adrian Nish, BAE’s head of threat intelligence, was surprised by the sophistication of the scheme.
“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in,” he said. “I guess it was the realization that the potential payoff made that effort worthwhile.”
Investigators have found that security measures at the Bangladesh central bank were sorely lacking, with systems unprotected by even basic measures such as firewalls. Now BAE says that it will release information that it hopes will help other banks avoid similar attacks.
The malware has been identified as evtdiag.exe, and was written specifically to attack Bangladesh Bank, according to BAE. However “the general tools, techniques and procedures used in the attack may allow the gang to strike again,” according to a draft of the warning seen by Reuters.
Hackers were able to use the malware to make a change to the code of the Access Alliance software on computers at Bangladesh Bank. In doing so they were able to modify the database which logged SWIFT transfers made by the bank.
Once it was inside the system the malware was able to delete outgoing transfer requests and prevent messages about the transfers reaching bank staff. The malware was also used to provide false figures for account balances, meaning that the heist went undiscovered until the stolen money had been laundered.
The hackers also managed to modify a printer that produced physical transfer requests in order to prevent the heist from being discovered.