Somewhere between $18 million to $20 million has gone missing during unauthorized interbank money transfers in Mexico’s central banking system.
Authorities are investigating the shadow transactions, but answers are thus far scarce. The affected banks and government officials are determining whether the cash drainage, reported Monday, is the work of organized criminals mounting a cyberattack – or whether it could be an insider threat or even just human error.
Mario Di Costanzo, head of Mexico’s government commission on finance, said in a press statement that “the identity and recipients of some transactions made through the SPEI have not been identified.” SPEI is the country’s SWIFT-like centralized electronic payment system.
Beyond the official line though, unnamed sources have told Reuters this week that the funds were siphoned to fraudulent accounts in a coordinated heist that involved creating hundreds of phantom wires at several institutions; on-the-ground accomplices then took out the funds in the form of cash withdrawals at “dozens” of branch offices.
Anthony James, CMO at CipherCloud, told Threatpost in an interview that signs point to a sophisticated actor at play.
“The attackers had to penetrate the network and gather authentications. It would seem they were resident in the network for some period of time and likely watched network transactions, approval authority and more,” he said.
“This is a high-end attack and requires expensive and sophisticated cyber-attacker resources,” he noted. “This sort of attack, since it takes so much time to plan and execute, was most likely funded by organized crime as a targeted and directed attack. This is a full-time business for organized crime – they have funded a relentless and continual assault on financial institutions worldwide. Money transfer is the holy grail for them with large dollar amounts – almost the perfect and completely unattributable crime.”
If the investigation sources are correct and the perpetrators had mules in employ to take care of physical withdrawals at local bank branches, an obvious set of suspects comes to mind, according to Kenneth Geers, chief research scientist at Comodo Cybersecurity.
“The attack in Mexico appears to be domestic in nature, unlike the SWIFT manipulation in Bangladesh, which we believe was carried out from North Korea,” he told Threatpost. “As money and power become digitized, Mexican crime syndicates have no choice but to invest greater resources in computer hacking.”
He added, “I think that dozens of withdrawals from branch offices means that these are physical withdrawals by people, which would be much harder for an Asian or Russian gang to achieve remotely…[and], the historic power of Mexican cartels is destined, like everything else, to evolve and shift to cybercrime.”
Vulnerabilities at the Root
Lorenza Martinez, head of operations at the central bank (Banco de Mexico, or Banxico, for short), told Bloomberg that at least five financial institutions were found in late April to have vulnerabilities stemming from third-party software that individual banks were using. Those vulnerabilities, discovered after a suspected cyberattack disrupted some transfers, would allow the compromise of those banks’ external connections to the country’s centralized electronic payment system, SPEI.
After that revelation, Banxico asked member banks to up their security game by transitioning to an in-house, encrypted system—a migration which has sent some transactions grinding to a halt for consumers, including debit card charges, e-payments and ATM withdrawals. Even though at least 20 financial institutions have migrated to the new platform, cyberattacks have been ongoing, including one on a bank just last week, Martinez said. It’s unclear whether these attacks are related to the theft of the funds.
The incident points out the weak links that persist in the global financial system.
“Cybersecurity strategies based upon protecting the perimeter through sophisticated firewalls and endpoint defense alone are insufficient,” James said in the interview. “Recent news shows us that despite such formidable defenses, cyber-attackers are succeeding at an ever-increasing rate. Part of the problem with most financial institution networks is that they consider a user, once inside the network, to be trusted. That is, you have continual and unfettered access to network resources, traffic, you can move through the network laterally, and so on.”
Banxico said that it’s helping its bank partners to beef up their security postures, and is conducting a regulatory audit on banks’ security compliance levels. It also will require frequent stress tests in the future to ensure preparedness in the face of an attack.
The central bank in a statement (PDF) on Monday said that it’s asking members to “implement additional control measures aimed at strengthening their systems of detection of irregular transfers, verify the integrity of their operations and avoid possible adverse effects on financial institutions, to the rest of the [SPEI] participants and the system as a whole.”
