February's hack against Bangladesh's central bank that netted $81m in diverted funds is one of the biggest cyber heists of all time. Now researchers think they've found the malware that did it.
A sample of the software nasty was obtained by researchers at defense contractors BAE Systems. The malware appears to have been custom built to use the global SWIFT (Society for Worldwide Interbank Financial Telecommunication) system and its Alliance Access backend.
SWIFT is an international inter-bank messaging system. The malware was designed to doctor transfers made via the network, bypass some safety routines set up by the bank, and thus cover the tracks of the thieves long enough for them to launder the funds.
The software nasty was inserted into the SWIFT terminal used by Bangladesh's central bank, reportedly after the crooks found and exploited a poorly configured network switch that hadn't been guarded by a firewall. (It turns out the bank had been relying on vulnerable $10 second-hand networking gear.)
Once installed, the malware tampered with messages between the Bangladeshi bank and an American bank, believed to be the Federal Reserve Bank of New York. This allowed the hackers to shift some funds from the Bangladeshi bank's reserve account in the US to accounts in the Philippines without being noticed.
The crooks also bypassed some physical safeguards in the system: their malware altered the printed confirmation of transactions to cover up their fraud.
"In order to hide the fraudulent transactions carried out by the attacker(s), the database/message manipulations are not sufficient. SWIFT network also generates confirmation messages, and these messages are sent by the software for printing," the researchers explain.
"If the fraudulent transaction confirmations are printed out, the banking officials can spot an anomaly and then respond appropriately to stop such transactions from happening. Hence, the malware also intercepts the confirmation SWIFT messages and then sends for printing the 'doctored' (manipulated) copies of such messages in order to cover up the fraudulent transactions."
As it turns out, the attackers were trying to net $950m in stolen funds, but a typo on one of these requests was spotted by someone at Deutsche Bank, which was routing one of the transfer requests. The eagle-eyed official alerted the Bangladeshis and halted the payments after $81m had been diverted to overseas bank accounts.
In a statement, SWIFT said that the attack didn't exploit a vulnerability in its security systems and was entirely dependent on an attacker compromising a local terminal. Nevertheless, it is working to strengthen its customers' computer defenses.
"We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records, however the key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems," it said. ®