On Monday (April 25), SWIFT announced that it is aware of “a number of recent cyber incidents where attackers had sent fraudulent messages over its system,” Reuters said. “SWIFT is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions’ back-offices, PCs or workstations connected to their local interface to the SWIFT network,” the group warned customers on Monday in a notice seen by Reuters.”
This follows publication of quite a few details about the breach that surfaced earlier in the day by the BAE Threat Research Blog, which noted that the attackers attempted to steal $951 million, of which $81 million still unaccounted for.
“This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place,” the blog noted.
The report went into many of the particulars of the attack method. “The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database. The main purpose is to inspect SWIFT messages for strings defined in the configuration file. From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts. This functionality runs in a loop until 6am on 6th February 2016. This is significant given the transfers are believed to have occurred in the two days prior to this date. The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.”
The full report is definitely worth a read.