Bankers drew a deep breath this morning after it was revealed that the hackers who nicked $81 million from the Bangladesh central bank probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system.
Insecurity experts at BAE Systems had a look at the malware, which the thieves used to cover their tracks and delay discovery of the heist. The cyber criminals tried to make fraudulent transfers totaling $951 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York in February.
Most of the payments were blocked, but $81 million was routed to accounts in the Philippines and diverted to casinos there. Most of those funds remain missing.
SWIFT, a cooperative owned by 3,000 financial institutions has admitted that it is aware of malware targeting its client software. SWIFT, swiftly said it would release a software update to thwart the malware, along with a special warning for financial institutions to scrutinise their security procedures with some extra scrut.
BAE believe they discovered malware that the Bangladesh Bank attackers used to manipulate SWIFT client software known as Alliance Access.
Investigators probing the heist had previously said the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. But the BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers.
Swift claims the malware had no impact on SWIFT’s network or core messaging services.
The SWIFT messaging platform is used by 11,000 banks and other institutions around the world, though only some use the Alliance Access software, Deteran said.
SWIFT may release additional updates as it learns more about the attack in Bangladesh and other potential threats, Deteran said.
Adrian Nish, BAE’s head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.
“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in,” he said. “I guess it was the realization that the potential payoff made that effort worthwhile.”
A senior official with the Bangladesh Police’s Criminal Investigation Department said that investigators had not found the specific malware described by BAE, but that forensics experts had not finished their probe.
Bangladesh police investigators said last week that the bank’s computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.
Still, police investigators told Reuters in an interview that both the bank and SWIFT should take the blame for the problems.
“It was their responsibility to point it out but we haven’t found any evidence that they advised before the heist,” said Mohammad Shah Alamo, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department, referring to SWIFT.