The Hackers Behind Bangladesh’s Big Bank Heist Are Back In Action


It seems Bangladesh was just the start of things for the cyberthieves who managed one of the larger smash and grabs in cybercrime history. According to Financial Times, that criminal group is now targeting other FIs.

SWIFT — the international interbank cooperative system with 11,000 global banks on its clients list — noted on Tuesday (April 26) that all customers using the Alliance Access interface software were required to install a mandatory upgrade after attackers “successfully compromised the banks’ own environments” in order to send fraudulent messages.

FireEye — the cybersecurity outfit investigating the $81 million breach — further reported it has “observed activity in other financial services organizations that is likely by the same threat actor behind the cyberattack on Bangladesh Bank.”

That statement out of FireEye has been taken as tantamount to an announcement of a warning of a criminal “campaign” against banks, particularly in light of the fact that SWIFT has already revealed that the hack was made possible via a piece of malware designed purely for the purpose of masking bad transactions in the interbank network.

The SWIFT global messaging network is used by FIs worldwide to send payment instructions and has become a vital part of the global financial architecture.

“Central banks have been looking at cybercrime — first at their banking sector and more recently with regard to their own websites,” said Nick Carver, publisher of Central Banking Publications. “But real-time gross settlement systems and SWIFT are in a different league. You are not just talking about big money but the money. SWIFT is the nervous system of international payments. So, central banks will be very concerned by these findings.”

SWIFT processes 25 million messages a day, worth billions of dollars. The entity did note that it was aware of the malware created to prevent detection of fraudulent payments on local systems but added that it had “no impact on SWIFT’s network of core messaging services.”

But SWIFT did provide customers with a mandatory software update, accompanied by warnings in a confidential alert of “a number of recent cyberincidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back offices, PCs or workstations connected to their local interface to the SWIFT network.”

The full account of how the cyberthieves executed the attack on Bangladesh Bank has yet to emerge from police and private investigators.

The Bangledesh hack was aided by bad security in the bank. Police investigations have recently turned up that the central bank did not make use of a firewall and linked computers to the SWIFT system using $10 switches (that were purchased secondhand).

However, some security experts don’t think that actually matters since firewalls aren’t actually designed to stop connections going out but instead to stop connections coming in.

“For advanced attackers, those things are just speed bumps anyway.”