Three banks – in Ecuador, Bangladesh and Vietnam – have had high profile intrusions in the last few months. Reports on the hacks have indicated highly sophisticated software being introduced via malware vulnerabilities. But the success of the hacks also rested on the flawed psychology of a trusted network (SWIFT) that is allowed to terminate in, and integrate with, less trustworthy environments.
Let’s take the latter point about psychology first. SWIFT (the Society for Worldwide Interbank Financial Telecommunications, based in Belgium) is rightly considered the gold standard for interbank communications. SWIFT is a co-operative, with its 11,000 banking customers around the world having a share in the organization.
When 11,000 of the world’s biggest financial institutions share a messaging platform that is used to initiate the electronic transfer of billions of dollars every year, human nature leads people to think: ‘if the message comes from SWIFT, it must be OK’. That collective belief is a great starting point for hackers, because it means their potential victims will be off their guard. If the hack can come via SWIFT, it will be cloaked.
And it could be that collective belief which first made SWIFT an attractive target for hackers.
Sun Tzu. Find a weakness, and then exploit it.
Sun Tzu, the Chinese military strategist who wrote The Art Of War would have delighted in how the SWIFT attacks unravelled.
So, to go back to the previous point about human nature, we have a trusted network that is terminating in 11,000 institutions. Importantly, people who think like Sun Tzu would have noticed that those institutions get to make up their own rules about security. There is no SWIFT-mandated standard for cyber security within its member banks, although SWIFT do offer tools and best practice advice.
This lack of defined standards means the sublime hacker could have had a simple Tzu-Like three point strategy to defeat SWIFT:
- Use a spy to find vulnerabilities in SWIFT.
- Find a SWIFT bank with a weak perimeter.
- Steal their money and remain anonymous.
And according to the various reports, that seems to be the lines along which the SWIFT attacks developed.
One. The vulnerability in the SWIFT infrastructure has been reported to exist in the organization’s Alliance Access service. Alliance Access, which is used by some 2,000 banks, enables banks to connect their own business software applications to the SWIFT messaging platform. This ability to hardwire custom apps to SWIFT suggests a potential weak point. Some reporters have speculated that finding this flaw could have involved somebody from within the banking community.
Two. To access the SWIFT vulnerability, the hackers would have had to look for the entry point of least resistance. Other reports (we don’t know if they are true or not) say that Bangladesh Bank was using second-hand network switches costing $10, and had no firewall. If true, this would make the bank a perfect candidate for an attempted intrusion.
Three. Having found the flaw and then found the access point, the hackers finally did what they do best and introduced software which not only enabled them to transfer huge sums of money from the bank via SWIFT, but to also completely erased their tracks after the event. So effective was the software that printers were disabled from providing hard copies of transactions.
In short, the entire SWIFT debacle could be described as The Art Of Hacking.
Malware. 3kb of code that can destroy a bank.
The point of ingress can be a tiny piece of malware code which gives the hacker a back door into the bank network and, thereby, to the global SWIFT network.
There are numerous ways that malware can be introduced into networks: a website that is browsed by a bank employee during their lunch hour, a file emailed as an attachment, even a compromised USB stick which the bank employee also uses on their home computer.
Sun Tzu would have found the concept of malware fascinating. Writing today he might have penned a line like: “find a crack in the wall of the fortress and prise it open.” Once the hacker has gained access to the network, they can help themselves to the bank’s funds.
Gottfried Leibbrandt, the CEO of SWIFT, summed up the scale of the opportunity by saying that a hack could be an ‘existential’ threat for banks, leaving them, quite literally, bankrupt.
“In the recent cases, thieves were able to move just some of those banks overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.”
Only a spelling mistake stopped a $1 billion hack.
The Bangladesh Bank hack involved some $81 million being stolen. According to Wikipedia, the 2014 per capita income of Bangladesh was $1,190 and the GDP was $209b. So one assumes the theft of $81 million is something the country can ill afford … but it could have been ten times worse.
According to reports, the perpetrators had attempted to steal closer to $1 billion, but only human error in the form of a mis-typed code caused the transfers to be rejected. That level of theft would certainly have qualified as an ‘existential threat’ for the bank.
In fact, for a country to lose half-a-percent of GDP to hackers would have extraordinary repercussions. In terms of theft-to-GDP, Bangladesh losing $1 billion would be like a US bank losing $85 billion in a single hack!
The amounts stolen, or attempted to be stolen, in the other countries seem to be inconsequential by comparison. The bank in Ecuador is reported to have lost $9 million, and the unsuccessful Vietnam bank hack was for just over $1 million.
It is worth noting that Gottfried Liebbrandt places the responsibility for network security firmly with the banks:
“SWIFT, our network, software and our core messaging services have not been compromised. In Bangladesh and the other cases, the thieves compromised the IT environment and worked their way to the bank systems where the SWIFT instructions are generated and the confirmations received. And while we (and other providers) give tools and software to our customers, our customers run these in their own environment and need to keep them secure. We cannot secure our customers’ environments and cannot assume responsibility for that.”
SWIFT press release
In May 2016, the influential website Network World (link below) reported that “The SEC promises to step up regulation and SWIFT itself is expected to launch a new cyber security initiative this week that includes independent security audits of its customers.”
Also in May 2016, Network World (link below) reported that up to a dozen banks are investigating potential SWIFT breaches.
Banks who want to proactively test their resources and receive a detailed C-Suite report should look into the S-Diag risk assessment from SecludIT …
Find the malware that could destroy your business with SecludIT.
According to management consultants KPMG, 86% of CEOs say that cyber security is the biggest threat to their company. Research also shows that 71% of businesses were hacked in the last year … and 38% expect to be hacked in the year ahead. See our SlideShare presentation “The real cost of ignoring network security” for more details.
SecludIT is a leader in vulnerability detection for corporate networks. And the SWIFT hackers will be disappointed to note that SecludIT offers malware detection as part of the 50k+ threats it scans for. We have two solutions to offer banks and other organizations who want to close the door on hackers:
Elastic Detector. Easily configured, this application checks the entire network every day for potential malware and incorrectly configured servers. Elastic Detector has scanned over 100,000 virtual machines and found vulnerabilities in over 98% of cases. The cost is around $10, per server, per month and includes detailed remediation tips for the company IT department.
S-Diag. A low cost ‘try before you buy’ diagnostic which carries out a deep scan of network resources to detect the presence of over 50,000 vulnerabilities. The finished-in-a-morning S-Diag scan includes a management summary for the C-Suite and a 1-to-1 phone appraisal from a SecludIT security expert.
SWIFT bank hack : reference sources.
SWIFT to unveil new security plan after hackers’ heists.
Hackers could cripple major world banks using our network, says Swift CEO.
How did hackers who stole $81 million from Bangladesh Bank go undetected?
Vietnamese bank reports another hacker attack on SWIFT money transfer system.
Third time unlucky for Swift as Ecuador bank hacked.
NetworkWorld: cybersecurity poses biggest risk to global financial system.
Up to a dozen banks are reportedly investigating potential SWIFT breaches.
SWIFT website : security statements.