Billion dollar injection: banks' worst nightmares

For many years, cyber criminals have focused their attention on money, primarily focusing on financial systems. For more than ten years, they were mainly focused on the weakest link in this chain - the end user, who uses online banking services. This approach has several advantages for intruders: a fairly low level of security for the end user, the theft of a small amount of money that may go unnoticed for some time, etc. However, there are some drawbacks: it is necessary to find (infect) victims who use one of the required banks, use tools that allow them to bypass antivirus programs, etc.

In other words, criminals can make a lot of money, but at the same time, they must make considerable efforts.
')
And where is the big money? In the financial institutions themselves. And there are no other options. However, it is quite difficult to get there, and it is even more difficult to understand how their specific internal systems work in order to completely compromise them, take the money and leave without leaving a trace. All this requires large investments to gather all the information necessary for such a robbery. Moreover, such an attack is very difficult to carry out, and for its careful planning it may take not even months, but years. But in any case, it is worth it, in order to steal a billion dollars at once.

But this is exactly what happened in February with the Central Bank of Bangladesh , where hackers infected the bank’s system with the help of a malicious program specially designed to carry out this attack. As a result, attempted to conduct fraudulent transfers in a total of 951 million US dollars. This money was in the account of the Central Bank of Bangladesh at the Federal Reserve Bank of New York. Fortunately, most of these operations were blocked, so $ 81 million was “stolen”. But this is not the only case.

Tien Phong Bank from Vietnam faced a similar attack in the last quarter of 2015. Then the cyber criminals also tried to make transfers via SWIFT, although the bank was able to recognize something was wrong and stop the completion of an ongoing transfer of $ 1 million.

And in January 2015, Banco del Austro (Ecuador) was in a very similar situation, and then about 9 million US dollars were stolen.



What is common in these three cases? Malware was used to execute the attack, and all money was transferred using the SWIFT network. SWIFT ( Society for Worldwide Interbank Financial Telecommunication ). Safe transfer of funds between banks is one of the services offered, which is processed by the SWIFT network.

The biggest concern is that the SWIFT network, which is considered secure, will be compromised. If that is what happens, the entire financial system may be at risk. But it seems that in these cases this did not happen, and SWIFT published a press release , which clearly states the following: “the SWIFT network, the main messaging services and software have not been compromised .”

However, it depends on the angle from which to look at all this: cyber criminals successfully used the SWIFT network to commit such thefts. And they used the same approach that was described at the beginning of this article: aiming at the weakest link in the chain.
SWIFT provides a secure environment, but at the end of each day, each financial institution communicates with the SWIFT network from its own internal system. In the same way that attackers targeted the end-user with the help of banking Trojans, now instead of hitting the SWIFT network itself, they attack the banks that are connected to it. Consequently, although we can say that the SWIFT network as a whole is still safe, but we can also assert that there are potentially thousands of weak points in the number of financial organizations connected to it.

How were these attacks performed?

So far, many moments remain incomprehensible, and for some of them the truth will never be established. The criminals have managed to cover their tracks well. In fact, the main purpose of one of the malicious programs used in the robbery was to hide all traces. But we know one thing for sure: specially developed malware was used. How did it penetrate the system? We have two options: help from a bank employee or an external attack via the Internet. Both options look plausible, especially after we learned that the security infrastructure at the Central Bank of Bangladesh was clearly not of the highest level.

If you look deeper into the incident with Bangladesh, you can note the very complex nature of the attack on the country's central bank. At the same time, the way in which the malware is structured (using an external configuration file, which is not required if this attack is planned to be carried out only once ), tells us that we will still encounter new victims. These hackers can then go to other banks that have flaws / weaknesses in their security models, such as the lack of in-depth monitoring of software launches in their networks. The information that we have on other attacks, so far only confirms this hypothesis.

In communications with its users, SWIFT tells all banks that their priority task should be to implement and use all the tools and measures to detect and prevent attacks, to ensure the safety of their environment.

How is this possible to provide? Is there something that will completely prevent any new robbery?
Criminals will continue their attempts, which can sometimes be successful. In any case, we know what they need (money) and on which computers they want to direct their efforts (those that are connected to the SWIFT network). Access to the SWIFT network is very limited, and it can be performed only from certain computers, and only certain users are allowed to access them. Thus, these computers must be very well protected, and not only timely updated software and anti-malware solution.

• On such computers should run only those programs that have previously been carefully checked and allowed.
• All executable processes must be carefully monitored in real time, while everything that happens to them must be recorded in the logs so that their analysis can help in the search for abnormal behavior. It does not matter whether the attack is carried out via the Internet or with the help of an insider.
• At such terminals, the launch of any unauthorized software cannot be allowed, and those that are allowed to run must be protected using anti-exploit technologies and controlled in real time if any abnormal behavior is observed.

Of course, if a person has physical access to such a computer, at some point he can disable any security solution, but this is not a problem as such, if you can get a notification about it in the console, which is used by security personnel. Is there any better indicator of compromise than a person doing manipulations with software security solutions installed on a critical system?

How to avoid such cyber attacks

One of the most frustrating things that victims face is a lack of knowledge about how the incident occurred. How did it happen? When did it all start? How long has this been going on? What did hackers do while computers were compromised? Was there a leak of confidential information? Like, for example, in the case of the Central Bank of Bangladesh, when three pieces of malware could be recovered after the incident, but this is just what is left there. Hackers could use many other tools that were deleted after the attack, and the victim does not know anything about them.

There are only a few solutions that can provide this level of service, and among them Panda Adaptive Defense is a solution that is designed for such cases. Among our clients there are already large financial organizations, governments of different countries of the world and large corporations from various sectors of the economy (healthcare, hotel chains, insurance, utilities, etc.).

All of these organizations face not only regular cyber attacks, but also targeted attacks on their assets. At one time, we just mentioned some of them: a network of luxury hotels, which we wrote about a few weeks ago , and an attack on oil tankers .

After studying such attacks, we believe that if the affected banks had such a security solution at their terminals connected to SWIFT, then these robberies could have been stopped in time.