SWIFT response: what we can learn from this year’s banking cyberattacks

SWIFT, the international cooperative that facilitates wire transfers, has hit the headlines recently, after falling victim to a series of attacks by cybercriminals.  The first to come to light was the massive Bangladesh Bank $81 million heist .  While details of this attack are still emerging, three factors are clear.

First, the bank had woefully inadequate network security measures. It had no network firewalls in place and had purchased second-hand routers from eBay, some of which were still using default passwords. Second, once the attackers had got inside this effectively open network, they were able to plant malware in SWIFT terminals used by the bank, which enabled them to monitor network traffic, interrupt transfers and create fraudulent transactions. Third, the attack was only identified because of a typo in a transfer request, which raised a query from Deutsche Bank as to whether the transfer was legitimate. If the attackers hadn’t made this mistake, they could well have stolen far more.

SWIFT has warned its members that this was not an isolated incident – and indeed the same type of attack extracted $12 million from Ecuadorian bank Banco del Austro SA and also targeted banks in the Philippines, Vietnam and the Ukraine.  Although we don’t have the full details of these attacks – nor the identity of the hackers behind them – we can learn a lot from these incidents.

Sophistication and a lack of segmentation

It is clear that the Bangladeshi heist was a prolonged and sophisticated attack, comprising several layers.  Any run-of-the-mill hacker could take advantage of the initial poor security practices – hypothetically, a remote access terminal with a default password setting would be pretty easy to get inside. But while a relatively inexperienced team of hackers may have been hired to do the initial ‘dirty work’ of gaining access to the bank’s network, the reconnaissance and later stages of the attack were pretty sophisticated.

These attackers had – or had to gain – really in-depth knowledge of how the SWIFT transfer system works. They had to know how to issue a wire transfer that, at the very least, passes basic formatting requirements. They had to know which accounts had money in them and where to transfer the money to. Perhaps this layer included people who had worked in a bank themselves, and had good knowledge of how SWIFT transactions are actually done. Probably they did serious reconnaissance, sitting quietly on the Bangladesh Bank network for some time.

Samples of the malware deployed by these criminals have been found to be tailored specifically to the banking environment. The attackers had extraordinarily good knowledge of the SWIFT messaging system, and used it to not only make fraudulent transfers but also to cover their tracks very successfully.

The sheer level of detail, knowledge and patience involved in this attack show just how serious cybercriminals can be in their attempts to extort money.  So now, more than ever, it is vital for banks and financial organizations to implement not just the basic cybersecurity principles that the Bangladeshi bank ignored, but also far more sophisticated network monitoring and segmentation, to prevent hackers from being able to move laterally within their networks.

SWIFT needs to improve its security requirements

It is easy to criticize the Bangladesh Bank for its cybersecurity posture. No firewalls, second-hand routers with default passwords – these are certainly bad practices.  So it’s not surprising, that SWIFT was quick to blame the affected banks, saying in one statement that “SWIFT’s network, software and services have not been compromised; each case occurred after a customer suffered a series of security breaches within their locally managed infrastructure”.

However, the security of the SWIFT network itself has also been questioned and SWIFT has since confirmed that it will be rolling out two-factor authentication for wire transfers  which seems to imply that the SWIFT network does indeed need to improve its protection.

The point here is that the SWIFT network is a massive global ecosystem, through which organizations of variable sizes – and, until now, variable security standards – are connected to each other.  While major international banks are expected to have large in-house security teams and robust cybersecurity strategies in place, smaller brokerages and other financial institutions might not have the same expertise or levels of protection.  And yet all of these organizations are technically connected to each other through SWIFT.

SWIFT has since announced that it plans to suspend banks with weaker cyber defenses until they improve their security. This is a step in the right direction – and suspensions are certainly a more powerful threat than nebulous legal action – but I’d like to see SWIFT wielding more of the power it has.

Some years ago the card payment industry, which, similarly, comprises a massive international network of banks, merchants and so on took unilateral action and formed the PCI DSS consortium to establish and enforce minimum standards of cyber security for all participants.  It was a powerful and effective move; I think SWIFT needs to do the same, so that if an organization didn’t meet a set of basic cybersecurity standards, it would be unable to join SWIFT and make wire transfers through the network.

Reduce the attack surface

Finally, this ongoing series of attacks can legitimately be viewed as an Advanced Persistent Threat (APT) campaign.  Each attack seems to have involved a sustained period of reconnaissance and intelligence-gathering followed by the use of specifically tailored malware.

Mitigating these types of persistent, targeted exploits requires an advanced and multifaceted cybersecurity strategy.  It means reducing an organization’s attack surface as much as possible, to minimize exposure to hackers and criminals, and diligently monitoring for signs of the reconnaissance stage – that is, for malicious presences on the network and leaving the network.

One difficulty in reducing the attack surface for organizations connected to SWIFT is, however, the network’s global nature.  When you are connected to an ecosystem that in turn connects to and touches many other countries globally, your attack surface will be large and complex.  Indeed, these attacks raise interesting questions in terms of jurisdictions and law enforcement; if the Bangladesh Bank decides to press charges, which police force do they go to?  Can INTERPOL help?  Even if they manage to identify the criminals, who is going to arrest them, or request extradition?  There are, as yet, no easy answers to these questions.

So organizations operating internationally need to carefully evaluate not just their own security, but also the security of the networks they connect to, if they want to avoid being targeted by the type of patient, sophisticated attack we have seen used against SWIFT.