Hackers abused the SWIFT banking network to steal US $10 million from an unnamed Ukrainian bank, according to reports.
As reported by the Kyiv Post, the Kyiv branch of the Information Systems Audit and Control Association (ISACA) made the discovery after it was hired by the Ukrainian bank to investigate the heist.
ISACA says the hack occurred via the Society for Worldwide Interbank Financial Telecommunications (SWIFT), a secure messaging service provider which helps over 11,000 financial organizations all over the world process money transfers.
By making use of publicly available information and tools, the attackers were able to gain access to SWIFT’s banking messaging service, where they began ordering fraudulent money transfers.
The IT firm believes attackers targeted not only the Ukrainian bank but also several other financial institutions in Russia and Eastern Europe.
As ISACA said in a statement:
“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars.”
This is not the first time hackers committed a bank heist by abusing SWIFT.
In February 2016, attackers used a piece of malware evtdiag.exe that has been linked to the 2014 Sony hack to make a slight alteration in SWIFT’s Access Alliance software at the Bangladesh Bank. Doing so allowed them to gain access to a database at the bank and make fraudulent money transfer orders. They made off with US $81 million.
Several months later, Tien Phong Bank (TPB) in Vietnam spotted a fraudulent transfer of 1.2 million euros (approximately US $1.36 million) to a Slovenian bank. An investigation into the incident revealed the attackers had used fraudulent messages from SWIFT to order the money transfer from TPB.
In each of these incidents, SWIFT has denied it was hacked. It has instead pointed to how attackers compromised local security measures, such as by stealing authorized employees’ SWIFT credentials, instead of hacking the system directly.
But that doesn’t mean attackers don’t know how SWIFT works. On the contrary, as Andrew Patel, senior manager of technological outreach at F-Secure, told SCMagazine:
“The actors behind these attacks invested a substantial amount of time and effort into learning the system and how to attack it. I wouldn’t be surprised if they acquired and set up their own SWIFT test environment in order to study the system and test their attacks. Given the effort it would take to learn this proprietary system, it’s possible they have multiple different attacks up their sleeves. They’re simply getting the most out of the investment they made.”
In response to these ongoing attacks, SWIFT has announced the creation of a new security program that will help companies improve threat information sharing and harden their security against similar attacks.
As this newest attack illustrates, it doesn’t matter if you’re an ordinary user or an employee of a large financial organization. Whatever you do, don’t click on suspicious links or email attachments, and don’t provide sensitive personal or corporate information to someone you don’t know. No good will every come from it.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.