Bangladesh Bank Hackers Accessed SWIFT System to Steal, Cover Tracks

Hackers behind the $81 million heist in February at Bangladesh Bank used stolen credentials to access the financial institution’s SWIFT payment system and a malware toolkit to cover their tracks.

Hackers behind the $81 million heist in February at Bangladesh Bank used stolen credentials to inject a malware toolkit into the financial institution’s implementation of the SWIFT payment system. The attackers used the access afforded by the credentials to send fraudulent money transfers to accounts in the Philippines and the malware was used to electronically cover the attackers’ tracks.

Researchers at BAE Systems today published a report with technical details on one component of the toolkit, a malware sample called evtdiag that was uploaded to a malware repository for analysis.

Evtdiag is a custom piece of malware built specifically for the Bangladesh Bank’s infrastructure and its installation of the SWIFT Alliance Access software. The software gives financial services professionals access to messaging exchange services between financial networks.

“This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers,” said Sergei Shevchenko, a researcher with BAE. “This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.”

SWIFT told Threatpost in a statement that it was aware of the malware and that it impacted only client-side installations, and that the SWIFT network and core messaging services were not breached.

“We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security,” SWIFT said in its statement.

SWIFT said it would update its software today and that it would also help customers spot anomalies in database records that could indicate an attack.

“However the key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats,” the statement said. “Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”

The February attack against Bangladesh Bank is among the largest on public record. A Reuters report published Friday said an investigator found that the bank was not running a firewall on its network and used $10 network switches to manage computers connected to the SWIFT payment network. The attackers made $951 million in fraudulent transactions from the bank’s Federal Reserve Bank of New York account, Reuters said; most of the payments were denied, and all but $81 million has been recovered.

The attackers exploited this lack of basic security to steal local credentials for the host machine, and then were able to inject the malware into SWIFT software locally. Dependent on a customer’s security configuration, other SWIFT installations could be at risk to similar injection attacks. BAE, meanwhile, said the toolkit is customizable and could be tailored to attack other institutions.

Today’s report on the malware said there were four components to the toolkit, and that evtdiag contained the logic for interacting with the SWIFT global network. BAE’s Shevchenko said the malware ran in a loop until two days after the fraudulent transfers happened.

“The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database.

“The main purpose is to inspect SWIFT messages for strings defined in the configuration file,” he wrote. “From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts.”

BAE said it remains unknown how the malware was loaded on to the Bangladesh Bank network or how the fraudulent transactions were sent.

What is known is that the attackers were not only able to carry out the theft, but also clean up after themselves not only by manipulating database entries, but also a safeguard that confirms transactions by printing them out for bank officials.

“To achieve that, the SWIFT messages the malware locates are read, parsed, and converted into PRT files that describe the text in Printer Command Language (PCL),” Shevchenko said. “These temporary PRT files are then submitted for printing by using another executable file called nroff.exe, a legitimate tool from the SWIFT software suite.”

BAE suggests that all financial organizations connected to SWIFT review their security immediately as the attackers’ knowledge of the payment system and malware coding is extensive.

“This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim,” Shevchenko said. “The wider lesson learned here may be that criminals are conducting more and more sophisticated attacks against victim organizations, particularly in the area of network intrusions (which has traditionally been the domain of the ‘APT’ actor). As the threat evolves, businesses and other network owners need to ensure they are prepared to keep up with the evolving challenge of securing critical systems.”

Suggested articles