The hacking heist of $81 million from the Bangladesh central bank demonstrates the vulnerability of many banks’ existing financial security platforms that cry for blockchain-based security.
Investigators at BAE Systems, a U.K.-based defense contractor, believe the attackers hacked into the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial platform that provides the heart of the global financial system, Reuters reported.
SWIFT confirmed it was aware of malware attacks on its client software. Natasha Deteran, a SWIFT spokeswoman, said the cooperative will release an update Monday to thwart the malware in addition to a warning to financial institutions to scrutinize security procedures.
The unprecedented cyber heist indicates that Brussels, Belgium-based SWIFT, which is owned by 3,000 financial institutions and provides a core to the security of the global financial system, is more vulnerable than many realize.
Given the severity of the Bangladesh hack, financial firms would be remiss not to consider blockchain-based technology.
The actual rate of successful infiltrations is likely greater than commonly recognized due to inadequate organizational systems for tracking successful threats, according to a recent report on database security by Osterman Research. According to the study, “Identifying Critical Gaps in Database Security,” just 19 percent of organizations enjoy “excellent” visibility into data and database assets. CCN.com reported.
Financial institutions are investigating the use of blockchain technology for the efficiencies in areas such as transfers, authentication and remittances. These institutions should also consider blockchain’s security capabilities.
By deploying blockchain security, financial institutions would gain the critical benefit of improved security while also setting the foundation for serving the millions of unbanked, another critical need the legacy financial infrastructure has failed to address.
Guardtime, a cybersecurity solutions collective, is an example of how blockchain security solutions are being applied to critical infrastructure, CCN.com reported. Guardtime is developing measures to protect and safeguard critical infrastructure in the U.K. such as nuclear power stations, the electricity grid and flood defense systems.
Guardtime will scale up security measures in such a way that even the slightest change in a reading would trigger suspicion for malicious activity, thereby quickly granting the administrator the means to mitigate such attacks in real time.
The entire process could be automated, with instant detection and mitigation capabilities by the system itself, without the need for human input.
SWIFT, meanwhile, is issuing a software update to assist customers in improving security and to identify inconsistencies in local database records.
BAE researchers said they discovered malware the Bangladesh Bank attackers used to penetrate SWIFT client software called Alliance Access. BAE plans to post a blog Monday on its findings about the malware. The attackers used the malware to delay discovery of the heist.
The attackers attempted to perform fraudulent transfers totaling $951 million in February from the Bangladesh Bank account at the Federal Reserve Bank. While most of the payments did not transfer, $81 million got routed to the Philippines and diverted to casinos. Most of those funds remain missing.
Investigators said the hackers penetrated the Bangladesh Bank’s computers and assumed control of credentials to log into the SWIFT system. The SWIFT software was likely compromised to erase illicit transfer records, according to BAE.
Deteran of SWIFT said 11,000 banks and institutions globally use the SWIFT messaging platform. Only some use the Alliance Access software.
SWIFT could release more updates as it discovers more about the attack and other threats, according to Deteran. The key defense against such attacks is for users to deploy “appropriate security measures” in their local environments, Deteran said.
Adrian Nish, head of BAE’s threat intelligence, said he has never seen such an elaborate hacker scheme.
I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in.
“I guess it was the realization that the potential payoff made that effort worthwhile,” he added.
A Bangladesh Bank spokesperson declined to comment.
The investigators did not find the malware that BAE described, according to the Bangladesh Police’s Criminal Investigation Department. Forensics experts had not finished their probe at the time of this report.
The bank’s security measures were seriously deficient and lacked basic precautions such as firewalls, Bangladesh investigators said last week. The investigators said the bank relied on used, $10 switches in its local networks.
Mohammad Shah Alam, head of the Bangladesh police criminal investigation department’s Forensic Training Institute, said SWIFT and the bank are both to blame for the problems. He said it was their responsibility to point out the vulnerability, “but we haven’t found any evidence that they advised before the heist.”
BAE’s alert includes technical indicators the company said it hopes the banks can use to prevent similar attacks. These include the IP address of a server in Egypt that attackers used to monitor the SWIFT system by the staff of Bangladesh Bank.
The evtdiag.exe malware hid the hacker’s tracks by switching information on a SWIFT database at Bangladesh Bank. The malware tracks information about transfer requests, BAE noted.
The evtdiag.exe was likely a part of a broader attack toolkit installed after the attacker gained administrative credentials, BAE said.
How the attackers ordered the money transfers remains unclear.
BAE found evidiag.exe on a malware repository and had not analyzed the infected servers directly, Nish said. The repositories collect millions of new samples a day from government agencies, researchers, businesses and member of the public. The repositories upload files to determine whether or not they are malicious.
Nish is confident the hackers used the malware since it was compiled close to the heist date. It contained detailed information on the bank’s operations, and it was uploaded in Bangladesh.
The general tools, techniques and procedures in the attack could allow the hackers to strike again, according to BAE.
Nish said the malware was designed to slightly change the Access Alliance software installed at Bangladesh Bank to allow hackers to modify the database that logged the bank activity over the SWIFT network.
After establishing a foothold, the malware could remove records of outgoing transfer requests from the database and intercept incoming messages that confirm transfers the hackers ordered, Nish noted.
The malware was able to manipulate account balances to prevent detection of the heist until after the funds were laundered.
The malware also manipulated a printer that made hard copies of transfer requests so the bank would not identify the attack from the printouts, Nish said.
Featured image from Shutterstock.
Last modified: July 13, 2020 3:16 AM UTC