Banks using the SWIFT financial messaging system continue to be successfully hacked. In a news report by Reuters, it revealed that SWIFT has sent a private letter to clients advising them that a string of cyber-attacks have surfaced since June this year. Some of those have been successful although SWIFT stopped short of saying how much was lost and by whom.
In its report Reuters published what it says is a quote from the letter. “Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.”
Who is being targeted and how?
The banks targeted all appear to have poor security around their systems that integrate with the SWIFT network. This is allowing hackers with a very good knowledge of how SWIFT works on the client side to penetrate systems. Once in, they use the SWIFT messaging network to send messages to other banks to move money. SWIFT have been keen to point out consistently that the problem is not in the core network. Instead it is the systems that connect to the network that are at fault.
The problem for SWIFT is that it has no real power over its members. It cannot force them to pass certain security standards or audit their procedures. All it can do is involve local regulators and that is exactly what it has threatened. According to Reuters: “SWIFT told banks Tuesday that it might report them to regulators and banking partners if they failed to meet a November 19 deadline for installing the latest version of its software, which includes new security features designed to thwart the type of attacks described in its letter.”
Will regulators do anything?
That is debatable. In June the FFIEC in the US told banks that they must: “actively manage the risks associated with interbank messaging and wholesale payment networks.” It also went on to remind all financial institutions that they should review their risk management practices and controls over IT and payment systems. They are told to pay particular attention to: “authentication, authorization, fraud detection, and response management systems and processes.”
At the same time the FFIEC said that the warning did not indicate any change in regulatory expectations. The update was simply an advisory reminding them about their obligations and security. European regulators took the same approach. Banks were told to check their processes and procedures but were not warned of any tightening of controls.
The problem here is that without support from the regulators there is little that SWIFT can do. There seems to be no process where it can force banks to update their software. It has updated the client software that it provides to its members. Will this be enough to reduce or stop the attacks? Even if everyone upgrades to the latest version and implements its properly this is a question that is hard to answer.
Who discovered the recent attacks?
That is not clear. SWIFT has not disclosed and has not responded to requests for further information on how it discovered the recent attacks. The attack on the Bangladesh Bank was originally investigated by the cybersecurity team at BAE Systems. In July they joined the SWIFT Customer Security Intelligence Team (CSIT) to: “investigating incidents within customer environments.”
What is interesting is that SWIFT does not appear to be offering cybersecurity assessments to customer banks. It would seem that one of the first goals of the CSIT team would be to assess the risk in customer systems. Instead, it has to wait for information from affected banks before it can investigate. These latest attacks will lead to a new set of indicators of compromise. The question is whether smaller banks will take any notice and use them to check their systems?
All of this comes on the back of SWIFT stepping up its security advice. Since April it has added a whole new section to its website dealing specifically with cybersecurity. It has also added a new Customer Security Programme (CSP) which is intended to help customers share security information and implement new audit frameworks.
The banking industry relies in the SWIFT network to move money between banks in a timely fashion. A failure by smaller banks to implement proper security procedures could cause problems for them and their clients. Larger institutions may choose to introduce additional steps before responding to requests to move monies. These are likely to be manual processes which would incur costs and take time.
eSentire’s CTO Mark McArdle says: “What is surprising is the omission from some so closely associated with the organization that SWIFT failed to address end user risk much sooner. End user risk isn’t something new; attackers commonly use smaller organizations as gateways to larger targets (like the HVAC supplier exploited in the 2014 Target attack). Larger businesses should regard end user risk as just as real and equally dangerous as a direct attack.”
To prevent this regulators could begin to get tough with banks. However, the fact that this has been going on for almost a year suggests that regulators themselves are unable or unwilling to act.