Many of you will have read our article yesterday on the BAE System analysis of the recent cyberattack on the Bangladesh Bank. Following a conversation with a SWIFT representative we have updated the article with corrections. – Ian Murphy, Editor
BAE Systems has published a blog by Sergei Shevchenko that identifies malware capable of hiding the traces of fraudulent payments from customers’ local database. The blog entitled “Two Bytes to $951m” looks at how hackers gained access to the Bangladesh Bank’s (BB) Swift payment in February. It is not the only blog that attempts to explain the breach and what tools the attackers used but it is the first to claim access to some of the software.
BAE Systems identifies tools available to all hackers
In his blog Shevchenko talks about discovering tools uploaded to online malware repositories that he believes are linked to the BB heist. In this case Shevchenko says: “The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.” This will be a major concern for all banks connected to the SWIFT payment platform. Once tools start circulating they often lead to new attacks and help attackers evolve the software to make it more effective.
That threat is very real. Having analysed the software Shevchenko says: “The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future.” There were three malware samples that BAE Systems looked at although Shevchenko says that only one of those contained the core logic for interacting with the SWIFT Alliance software suite.
The primary goal of the software is simple; to inspect SWIFT messages for strings defined in a configuration file. Once those strings are identified, the software extracts some data and uses that to interact with SWIFT. This might be to delete some messages, change others to show different amounts in the transaction or make other alterations as defined by the attackers. In the samples that BAE Systems looked at, the attack terminated itself at 6am on 6th February 2016, two days after hackers attacked the Bangladesh Bank.
Patching a core system file was key to success
The attackers were able to map the entire SWIFT process and identify which process used the liboradb.dll module. The malware changed just two bytes in this single software module. Those two bytes meant that instead of suspect messages failing a security check, all messages were seen as having passed. This single change meant that the malware was able to execute database transactions within the target system.
The malware was also able to use information it had previously extracted to create and then execute SQL statements against the Oracle database in which SWIFT is built. In the analysis, several of the SQL statements are explained including how the malware queried for specific senders and then used a SQL Update statement to change the amount of Convertible Currency in the message.
Should we be surprised at this level of success or sophistication from hackers? Not in the slightest. What will be of great concern to banks around the world is that it was this simple. Arguably all messages and files should have been encrypted and not changeable without high level system privileges. However a little insider information goes a long way as Shevchenko highlights with his comment: “The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.”
In his conclusion Shevchenko suggests that this is unlikely to be the last we will see of it saying: “..the general tools, techniques and procedures used in the attack may allow the gang to strike again. All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”
This may have been an attack aimed at a single bank but with the code and tools now in the hacking domain along, one assumes, with the knowledge around how SWIFT works, attacks will very quickly evolve and become more sophisticated.