The SWIFT Banking Network has warned that a second bank has been hit by the same software that led to the Bangladesh Bank losing millions of dollars back in February. Once again the attackers targeted the client-side systems and were able to manipulate messages and payments stealing as an yet undisclosed sum of money.
According to a statement by SWIFT: “The attackers exhibited a ‘deep and sophisticated knowledge of specific operational controls’ at targeted banks and may have been aided by ‘malicious insiders or cyber attacks, or a combination of both’.” Note the emphasis on targeted banks in this statement. When we reported the BAE Systems analysis last month, SWIFT were quick to contact us and insist that the attack had nothing to do with their software but was instead all about attacks on client-side systems.
This latest breach will increase concern over the way that attackers have been able to take over client-side systems and operate undetected for a while. There will also be worries that the criminal gang involved has such good knowledge of the SWIFT interfaces to client-side systems that they have been able to repeat what was a high profile attack. The response from SWIFT has been to reiterate that customers must review their client-side systems to identify and remedy any risk.
A sophisticated toolkit for bank attackers
While the SWIFT network has declined to identify the bank or even the country involved concerned, BAE Systems who published an analysis of the Bangladesh Bank heist has said it is a commercial bank in Vietnam. The disclosure was made by Sergei Shevchenko and Adrian Nish in a blog entitled Cyber Heist Attribution. The blog details how BAE Systems were able to detect “multiple bespoke tools” which were available to the attacks of the banks in both Bangladesh and Vietnam.
What will worry security researchers is that one of the key tools, msoutc.exe, for covering up traces of the attacks has already been widely reported. Samples of malware using the same encryption key were reported last year by PwC. According to Shevchenko and Nish the malware features in US CERT Alert TA14-353A (December 2014) where it was described as part of a larger toolkit. That toolkit was used in a successful cyber attack in 2014 against Sony.
There was further coverage of the toolkit in the Operation Blockbuster report (February 2016) that looked in detail at the attack on Sony. Shevchenko and Nish comment that msoutc.exe matches what the Operation Blockbuster authors called the Sierra Charlie variants in their report.
What is clear from the Shevchenko and Nish blog is that there are a number of other things from typos to compilers and even functionality between the various reported instances of this malware. This, they believe, is enough evidence to say that they same coder is involved in all three attacks. More importantly these have been identified and publically reported by several different security companies yet the malware is still effective and enabling attacks such as these on the banks internal systems.
The soft underbelly of security
Many will ask why these attacks were able to take place if elements of the toolkit and some of the malware have been known for over two years. It is a good question and one that exposes the problem of the soft underbelly of security.
One of the biggest problems for security teams today is protecting against insider attacks. IT security teams have spent a lot of money over the last few years on perimeter defences to prevent the hackers getting in. The problem with insiders is not just that they are already inside the system but that they have knowledge of security process and where the data is held. This makes it easier for them to target the information they want and to do so in a way that helps them to evade detection.
It is not just malicious insiders that are the problem. Increasingly sophisticated spear phishing attacks, such as the one detected by Panda Security against hotels, means that a lot of attacks are unwittingly triggered by a member of staff. The recent Panda Security story made it clear that the attack would have evaded perimeter controls. In effect both of these examples expose how easy it is to get around security once inside the network.
It is now becoming clear that these attacks on banking systems were aided by insiders with not just good knowledge of the way that SWIFT works but also the local systems at affected banks. How the malware was introduced to the banks is still not known but insiders could have taken it in to work on their personal devices or it could have been through spear phishing or other attacks. Despite this the insider knowledge of bank configurations and processes was required to make the attacks work.
According to Matt Middleton-Leal, regional director of UK & Ireland at CyberArk: “From a cybersecurity perspective, whether this latest breach was caused by hackers, insiders or a combination of the two is irrelevant to a degree. What matters is that, with attention and budget spend on security often too focused on the perimeter defences, big blind spots obscure what’s happening inside the network.
“If hackers can move around somewhat freely once inside, sussing out how to circumvent transactional checks and balances and getting higher levels of enhanced access to the keys to the kingdom, then what you have spent to secure your network is wasted. As we saw in the Bangladesh heist, a simple thing like gaining control of a printer to make sure staff didn’t see fraudulent transactions meant the attack went undetected until it was too late.”
Conclusion
The ability of cybercriminals to attack multiple banks and compromise client-side systems that are integrated into the SWIFT banking system has serious ramifications. That fact that SWIFT themselves felt it important to issue a statement shows just how concerned they are. There is also evidence from Shevchenko and Nish that the attackers responsible for the breaches are using the same coder. This means that this is likely to be a single gang at work rather than the tools being sold on to the highest bidder.
For criminal investigators this is an important clue. It means that they can begin to look for links between people in both banks in order to find the insiders who enabled the attacks. It may also identify a piece of common software that was used by both banks, beyond the malware, and it will be important that investigators are given access to both sets of systems in order to follow this lead.
The fact that there are clearly identified links between part of the malware toolkit and the Sony attack means that there is already a lot of information available to help investigators. Interestingly the Sony attack was launched by a group calling itself the Guardians of Peace who are believed to have been sponsored by North Korea.
Does this mean that it is possible to ascribed this attack on banks to North Korea? Possibly. As yet, all we have is evidence that the malware used in all these attacks can be attributed to the same coder. However, it could just as likely be that the code, once created, was made available to multiple groups.
Whoever is responsible the key issue here is that parts of the malware are well known and were not detected by the security systems in place at the two banks. Will they be the last to be hit? Highly unlikely but there will now be an increased effort across the world to check banking systems to see how far this attack has spread.