A third bank was a victim of cyber heist that involved the SWIFT

Pierluigi Paganini May 21, 2016

The Ecuador Bank Banco Del Austro of Cuenca was hacked by threat actors that once again involved the SWIFT systems to stole $12 Million.

A third bank was the victim of a cyber heist, the Ecuador Bank was hacked by threat actors that targeted the SWIFT systems and stole $12 Million.

In  February hackers have stolen $81 Million from the Bangladesh central bank and a few days ago, the SWIFT (Society for Worldwide Interbank Financial Telecommunications) announced that a second commercial bank was a victim of a cyber heist, the crime appears to be part of a broad online attack on global banking.

At this point it is clear that we are facing a widespread cyber attack on global banking and financial industry, threat actors are targeting the principal component of their infrastructure, the SWIFT.

When the second cyber heist was confirmed, Natasha de Teran, the SWIFT spokeswoman, revealed the existence with multiple similarities with the Bangladesh bank heist and added that both were very likely part of a “wider and highly adaptive campaign targeting banks.”

“The unusual warning from Swift, a copy of which was reviewed by The New York Times, shows how serious the financial industry regards these attacks to be. Some banking experts say they may be impossible to solve or trace.” the NY Times reported. “Swift said the thieves somehow got their hands on legitimate network credentials, initiated the fraudulent transfers and installed malware on bank computers to disguise their movements.”

The hackers are exploiting the SWIFT, a global banking messaging system used by banks worldwide to transfer Billions of dollars each day.

SWIFT cyberheist

Today we are discussing a third attack suffered by the Ecuadorian Banco del Austro (BDA) bank, also in this case threat actors involved the SWIFT system and stole $12 million from the financial institution.

The attack occurred in January 2015, it was revealed via a lawsuit filed by the Ecuadorian Bank against Wells Fargo that sued US bank over hacker thefts.

“Wells Fargo Bank failed to follow its own fraud detection policies, honoring millions of dollars of fraudulent international transactions that should have triggered alerts, a lawsuit by an Ecuadorian bank alleges.” reported the Reuters.

“Filed by Banco Del Austro of Cuenca, Ecuador, the lawsuit said Wells Fargo failed to flag or block suspicious transactions, allowing hackers o withdraw more than $12 million over a 10-day period in January last year.”

“Wells Fargo has also fired back and blamed BDA’s information security policies and procedures for the heist and noted that it “properly processed the wire instructions received via authenticated SWIFT messages,” reads court documents visioned by the Reuters.

In all the attacks, the attackers used a sophisticated strain of malware to compromise bank networks and access to the SWIFT messaging network.

One inside the systems of the victim, the attackers sends fraudulent messages via SWIFT to transfers million of dollars from accounts at victim banks.

The researchers at BAE firm discovered the presence of malware, dubbed evtdiag.exe, in the systems at the Bangladesh Bank, the code was allegedly used to manipulate SWIFT client software known as Alliance Access.

The hackers took control of credentials that were used to log into the SWIFT system, by the BAE experts discovered that the SWIFT software at the Bangladesh Bank was compromised in order to manage the illicit transfers.

“The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills,” reads a blog post published by the BAE firm.

“This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.”

swift bangladesh bank heist malware

The experts believe the tools used by the hackers could be used for similar attacks in the future.

“The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database.” continues the post.

In the attack on the Ecuadorian Bank experts discovered that in just ten days hackers used SWIFT credentials of a bank employee to hijack financial transactions for at least 12 transfers amounting to over $12 Million. The transfers were redirected to accounts in Hong Kong, Dubai, New York and Los Angeles.

There are a number of errors that advantaged the attacks, for example, the incident was not disclosed for months, we now know about the heist due to the legal action of the BDA against the Wells Fargo which was responsible for approving the fraudulent transfers. The lack of information sharing on the incident allowed the attackers to continue their action.

SWIFT was not informed by both BDA nor Wells Fargo as confirmed in an official statement.

“We were not aware,” SWIFT said in a statement. “We need to be informed by customers of such frauds if they relate to our products and services so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us.”

According to the Reuters, the SWIFT told clients on Friday to share information on attacks on the system to help prevent further incidents.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bangladesh bank, hacking)

you might also like

leave a comment