In news that will send a shiver down the spines of banking regulators worldwide, bank-owned messaging network Swift is warning members that a second bank has fallen victim to the same kind of malware-based attack that led to an $81 million loss at the Bangladesh Central Bank.
In a letter sent to member banks this morning, and reviewed by the New York Times, Swift warned that the latest attack bore numerous similarities to the $81 million heist suffered by the Central Bank of Bangladesh and was very likely part of a “wider and highly adaptive campaign targeting banks”.
“The attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both,” Swift said in its warning, which is expected to be posted on a secure part of its website on Friday.
Police investigating the attack in Bangladesh said the central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 routers to network computers connected to the Swift payment network.
Researchers at BAE System claim that after gaining administrative rights at Bangladesh Bank, the hackers installed a piece of malware named evtdiag.exe which shielded the attackers by changing information on transfer requests made via Swift on the client interface used by the bank to track information about transfer requests.
The malware not only buried the fraudulent transactions but also intercepted Swift confirmation codes sent for printing and replaced the bogus transactional data with innocuous doctored copies of the messages.
The latest bank to fall victim to the attackers is understood to have used a PDF reader to confirm that payments had been made, suggesting a higher level of sophistication than had been evident in the Bangladesh bank hack. Swift says the thieves obtained a valid Swift credential that allowed them to “create, approve and submit” messages on the network. Those messages — sent from PCs in the bank’s back offices or from laptops — were then used to move money from one of the bank’s accounts.
Swift has declined to name the bank involved or the amount of money that was stolen.
The latest incident once again turns the spotlight on the security of the network used by banks to transfer billions of dollars in transactions daily.
Swift has reiterated its stance that the core network remain secure, pointing to internal deficiencies and security lapses at member banks connecting to the network.
“Your first priority should be to ensure that you have all the preventative and detective measures in place to secure your own environment,” Swift said in its latest message. “This latest evidence adds further urgency to your work.”