Where there’s money, you will find criminals, and the SWIFT network is often a target for those who want to get rich quick. There are thus few crimes that have such a high financial reward, and for such little chance of being caught. While SWIFT has provided a way for us to integrate our banking infrastructure over the world, it has been an increasing targeted hacks, and a recent one on 13 August 2018 focused on the core SWIFT/ATM infrastructure of the Cosmos Bank. In the end, it is thought that $13.5 million was taken.
The researchers at Securonix have now identfied that the attack that was built with a layer approach(a progressive attack) and they pinpointed North Korean hackers (possibly from the Lazarus Group). In investigating the crime, they found that the hackers breached an ATM switch within the SWIFT network and then created two routes which allowed the money to be siphoned off.
It is thought that it involved either a spear phishing attack or an attack against a remote administration service. This allowed the attackers to gain a foothold on the network, and go further. After this, it is thought that the attackers used ATM test software to set up a malicious proxy switch. This created a fake ATM switch which ran in parallel with the bank’s ATM infrastructure, and which then sent fake transactions into the network.
An ATM switch should send an ISO 8583 message to the back-end infrastructure, but this was never received. The fake transactions are then not sent to the back-end infrastructure for checking and sent to a shadow server which authorises the transactions. The transactions included: 2,800 domestic transactions (Rupay) and 12,000 Visa transactions using 450 cloned debit cards, along with another $2 million for a SWIFT inter-banking transfer. This hack is by far more serious than the usage of malware installed on ATM machines, as it attacks the core of a bank’s ATM infrastructure.
The SWIFT Network
The headquarters of SWIFT is in Belgium, and it supports a global network (SWIFTNet) of over 9,000 financial organisations in order to transfer of funds between banks using Business Identifier Codes (BICs), which are also known as “SWIFT codes”. At present there are around 15 million messages per day, and where the network does not hold any of the account details of its members, nor does it clear the transaction. For this it sends payment orders which are then settled by the target of the transaction. Any company which uses the SWIFT network must have a business relationship with an associated member.
The BIC value uniquely identifies the name and country of the bank — and possibly the branch. It was either 8 or 11 characters long. The Bank of Ireland’s BIC has an eight character code which is BOFIIE2D: BOFI (4 digit code for the bank); IE (Ireland ISO Code); and E2 — Location Code. We can also add a three-digit branch code to the end.
A recent hack involved three “fraudulent remittances” and which were sent to accounts in Dubai, Turkey and China. These included remittances of $1million, $372,150 and $500,000 and sent through Standard Chartered Bank accounts. The $500,000 and $372,150 remittance payments have since been blocked. This comes on the back of the same bank being involved in a suspected $1.7 billion fraud using unauthorized loans to bank employees.
There have been a number of previous hacks of the SWIFT network, including:
- In February 2016, $81 million had been stolen from the Bangladesh central bank, and that there were a number of other recent incidents.
- Last year, Wells Fargo transferred $12 million from Banco del Austro in Ecuador but it is now believed that these funds have been stolen by hackers.
- A week ago, Tien Phong Bank, a Vietnamese lender, outlined that it stopped a theft of over $1 million on the Swift network.
There are allegations from both sides that the other is to blame, with weak security being pinpointed at the Bangladesh Bank, and where it was stated that engineers left several security holes with its connection from the real-time gross settlement (RTGS) system into Swift network.
UK and US order reviews
Overall SWIFT is a global financial network which involves the transfer of billions of dollars of currency each day and which is co-operative that is owned by 3,000 financial institutions. Carolyn Maloney, a Representative in Congress, wrote to the top banking regulators to request measures to strengthen the security of the network. The level of sophistication shown in the recent attacks shows that there is increasing investment and skill used to compromise the infrastructure. Her focus is related to stolen Swift credentials.
In the UK, the Bank of England has ordered UK banks to test their cyber security in order to reduce the exposure to the Swift hack. This includes completing an Indicators of Compromise review that has been created by BAE Systems after had investigated other attacks. Keys aspect are to review and check the users who can access the network.
The announcement around the Bangladesh bank hack said that there had been a number of fraudulent messages, as the hack involved modifying Swift’s software on back office computers within the Bangladesh central bank, in order to hide the transaction.
It is thought that the intruders obtained valid operator credentials using a “spoofed” ID, and which can create and approve Swift messages. They then submitted fraudulent messages based on the identity of those they are spoofing.
Only as strong as the weakest link
Swift connects 11,000 banks across the world and carries more than 25.8 million messages per day, with around half of these being money transfers. BAE reported that they have found malware that could have been used for the Bangladesh Bank in an online malware repository. It is reported that intruders setup a transfer of $951 million from Bangladesh’s central bank holding at the New York Federal Reserve to the Philippines and Sri Lanka.
The transfer to the Philippines (for $81 million) was successfully transferred, and to two Chinese businessmen (but it is thought that these were spoofed), after which it took a convoluted path through casinos and its path has been lost. The Sri Lanka one, though, failed, and a $20 million transfer was stopped due to a typo in the message (using “fandation” rather than “foundation” for the Sri Lankan organisation involved).
The weak point seems to be related to the IT equipment used in the Bangladesh Bank, which included second-hand network switches and where the Swift servers were not isolated from the external network by a firewall. The malware was used to search for Swift messages and extract addresses and transfer references. It is likely they then spoofed their authentication onto the Swift network and generated valid transfer messages, along with disabling the print-outs of the transactions to the printer in the bank.
You might dismiss the $13.5 million hack of the Cosmos Bank as “just another SWIFT hack”, but it’s NOT! The SWIFT network has grown rather large over the years and now spans over 11,000 banks. Unfortunately, this makes it difficult to secure, and the authentication infrastructure is often weak, and where the core security is applied to the outer shell of the infrastructure (rather than embedded into the cryptography applied to the transactions).
It puts our financial stability at risk. We now are faced with serious risks to our financial infrastructure, and something needs to change soon, otherwise we risk large-scale damage to the financial infrastructure of countries (and possibly to the world). In a matter of an hour, hackers can make 10s of millions of dollars.
There are few other crimes which can net this much money for so little opportunity of being caught. We need a better financial transaction infrastructure, and one where cryptography is applied in the correct way.
If we continue with the SWIFT/ATM infrastructure in its current state, we risk a massive compromise and a possible collapse of trust, with major banks collapsing.