SWIFT Breach – Are You Safe?
WIFT, known as a global networked-financial platform, is used by nearly 11k banks to transfer billions of dollars a day. SWIFT issued warnings to its users on the wake of several recent cyber incidents. The developments that lead to the Bangladesh Bank cyber-heist in particular had far reaching consequences in the industry.
Based on the attack trends we’ve observed for the last couple of months, SWIFT has now become the favoured platform for cyber criminals to commit online frauds.. Bangladesh Bank’s (BB) SWIFT payment system was breached in February 2016. It was reported that the attackers attempted to steal $951m out of which $81m was exfiltrated successfully (Ref: https://goo.gl/TNSdM5).
The BB Breach Breakdown
The technical details pertaining to the breach are yet to be made public. However, from the samples of the toolkit linked with the BB heist and also based on already published data and inferences , it is possible that the attack unfolded in the below manner:
1. The attackers gain access to systems that are linked with SWIFT Alliance application server and install the malware. The malware escalated itself to install as a new Windows service.
2. The malware was designed to decrypt the configuration file (gpca.dat) and to search for terms specific to SWIFT messages / codes.
3. The malware further checks for ‘Login/Logout’ status of the Journal table (authentication table) every hour and sends the result to the attacker’s domain (126.96.36.199) using HTTP.
4. The .prc and .fal files which contain SWIFT Financial Application (FIN) messages have been parsed and scanned by the malware for attacker defined terms. On match, the transfer references and sender addresses extracted to formulate a SQL statement to alter or delete those records.
5. Next, the malware tries to identify and exploit the hosts’ SWIFT applications in order to bypass the validity checks of database applications.
6. During the weekend, a series of SWIFT messages had been transmitted to some other banks for initiating the transfer funds.
7. All confirmation messages from the SWIFT network were monitored by the malware.
8. The SWIFT messages sent to the printer were altered or blocked in real-time.
These pieces of custom toolkits were devised with the primary objective of covering the attackers’ tracks. The higher configurability and ability to tune it based on requirements will keep these toolkits open to use for similar attacks in the future.
Check for Similar Attacks in your Network
It is not difficult to imagine that similar attempts will be made to exfiltrate money from the other 11,000 financial institutes that are participating in the SWIFT network. Hence, more agile monitoring of SWIFT Servers, applications and linked systems are needed. The below table helps you look for similar threats in your network via your Security Operations Centre or SOC.
It is true that security controls of SWIFT have never been compromised. However, successful manipulation of Bangladesh Bank’s infrastructure holds significant learning for all of us, and highlights the importance of having effective, round the clock monitoring, which could minimise the impact of such breaches. Additionally, having a tamper-proof, centralised event logging facility, and the ability to highlight if logs are missing could be a part of an effective security posture.
It is evident that cyber criminals are using sophisticated attack techniques. Businesses and network owners, however, are not keeping up with this pace. To prevent a reoccurrence of the SWIFT breach, businesses should adhere to a defence-in-depth model, deploy hardware-based authentication techniques (extra measure), and implement 24/7 security monitoring.