Reports of additional attacks against banks that use SWIFT, the global financial transaction messaging network, came to light Wednesday. The attacks were reportedly persistent, sophisticated and in some cases successful, impacting an undisclosed number of financial institutions.
It’s the latest development since February when cybercriminals used SWIFT to steal $81 million in a Bangladesh Bank heist. Reports of the latest bank attacks come from a private letter obtained by the Reuters news agency sent by SWIFT to its clients informing them of the attacks and urging them to shore-up their cyber defenses.
The letter told clients that SWIFT customer “environments” have been compromised and that the possibility of a “threat is persistent, adaptive and sophisticated – and it is here to stay,” according to the Reuters.
The letter said attackers were attempting to use customer environments to send fraudulent payment instructions for SWIFT-enabled transfers. The letter informed clients that the attempted thefts surfaced in June and that cybercriminals had stolen an undisclosed sum of money from a number of different unnamed victims.
SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is a private network used by financial organizations to send and receive transactions.
While details are scant on the most recent attacks, SWIFT said weak local security that allowed attackers to compromise networks and send bogus messages requesting bank transfers was the common thread between attacks.
Since the February theft, SWIFT has been stepping up efforts to prod banks to tighten security. Earlier this month SWIFT announced a security tools campaign that introduced an updated two-factor authentication system in its products to help customers protect access to SWIFT interfaces.
In the letter obtained by Reuters and sent to clients, SWIFT reiterated a call for banks to improve authentication systems. Additionally, SWIFT threatened banks with an ultimatum to update to the latest version of the SWIFT software by a Nov. 19 deadline or risk being reported to regulators and banking partners.
“What is surprising is the omission from some so closely associated with the organization that SWIFT failed to address end user risk much sooner,” said Mark McArdle CTO of security firm eSentire in a prepared statement. “End user risk isn’t something new; attackers commonly use smaller organizations as gateways to larger targets (like the HVAC supplier exploited in the 2014 Target attack).”
In the case of February’s Bangladeshi Bank heist, attackers used stolen credentials to access the SWIFT network and injected malware into the bank’s implementation of the network to transfer money to accounts in the Philippines. It has been reported that the bank was not running a firewall and was using $10 commodity switches to manage computers connected to the SWIFT network.
In May, SWIFT warned of an attack against Vietnam’s Tien Phong Bank. SWIFT said the attack vector was malware targeting a PDF reader used by banks to check statement messages, in particular payment confirmations via PDF. Again in May, Banco del Austro SA in Ecuador said hackers exploited the SWIFT protocol steal money. Later that month, SWIFT issued a statement to banks warning its users that fraud continues to be a major problem, and reassuring them that the security of the SWIFT network remains intact.