New Wave of Cyber-attacks on Banks

June 9, 2016 by

Daniel Dimov

1. Introduction

In the past two years, the financial world has been stunned by three major cyber-attacks on banks, namely, (1) the attack on Ecuadorian Banco del Austro in January 2015, (2) the attack on Vietnam's Tien Phong Commercial Joint Stock Bank in May 2015, and (3) the attack on Bangladesh Central Bank in February 2016. The three breaches were committed by utilizing the digital infrastructure of the targeted banks and exploiting weaknesses in the systems that connect banks to the global SWIFT (The Society for Worldwide Interbank Financial Telecommunication) network. Two of the incidents resulted in immense financial losses amounting to around USD 100 million and raised discussions about the reliability and security of digital networks used by banks all over the world. Our article aims to discuss each of the aforementioned attacks in more detail (sections 2-4) and compare them (Section 5). At the end of the article, a conclusion is drawn (Section 6).

2. Attack against Ecuadorian Banco del Austro

The cyber-attack against Ecuadorian Banco del Austro (BDA) was conducted in January 2015. It caused financial losses of 12 million USD. During the heist, the funds from the BDA were routed to more than 20 companies located in Hong Kong, Dubai, U.S., and other jurisdictions. Most companies which received stolen money were not effectively functioning and did not have clearly defined business activities. After identifying the breach, the BDA succeeded to recover 2,8 million USD and hopes to recover more money in the future.

The attack against the Ecuadorian bank was carried out by hackers over a period of 10 days. The current investigation of the crime demonstrates that the fraudulent transactions initiated by hackers contained several anomalies which should have raised suspicions to bank's employees, such as initiation of transfers after bank's working hours, beneficiaries located in untypical geographic locations, and uncommon amounts of transferred money.

SWIFT and the general public learned about the attack only recently, 15 months after it. This fact suggests that banks hesitate to disclose information about cyber-attacks against them to prevent reputation damage. As a response to the attack, SWIFT published the following statement: "We specifically remind all users to respect their obligations to inform Swift immediately of any suspected fraudulent use of their institution's Swift connectivity."

3. Attack against Vietnamese Tien Phong Bank

Vietnam's Tien Phong Bank (TP Bank) announced that it succeeded to interrupt a cyber-attack in December 2015. Although the hackers attempted to use fraudulent SWIFT messages to transfer more than 1 million euros from the TP Bank, the bank was prompt to notice the attack and stop the initiated fraudulent messages, thus preventing any financial losses. Differently than in the BDA case, the fraudulent messages in the TP Bank were sent not through bank's network but by using the infrastructure of an outside vendor who was hired by the Vietnamese bank to connect it to the SWIFT messaging system. After discovering the information security breach, the TP Bank immediately stopped working with the vendor.

The attack on the TP Bank clearly demonstrates the need and the importance of an urgent action to halt cyber-attacks on financial institutions. The advanced technological skills of the staff of the TP Bank might have been one of the reasons for mitigating the impact of the attack. The TP Bank is regarded as one of Vietnam's most technologically savvy banks. In 2016, it received a "Best Internet Banking" prize from The Asian Banker (www.theasianbanker.com).

4. Attack against Bangladesh Central Bank

In February 2016, a fraudulent transfer of USD 850 million from Bangladesh Central Bank was blocked after the SWIFT detected a spelling error in the name of the recipient (the recipient was spelled "Shalika Fandation" instead of "Shalika Foundation"). However, Bangladesh Central Bank was not able to stop the transfer of USD 101 million. The stolen money was directed to bank accounts of various casinos and Chinese gambling firms. After identifying the heist, Bangladesh Central Bank managed to recover USD 20 million and hopes to recover the remaining USD 81 million in the future.

The attack, which is called "one of the largest bank heists in history," seems to originate from outside Bangladesh. The forensic investigation found traces of multiple hackers located in North Korea, Pakistan, and other countries. To conduct the attack, hackers created a malware named evtdiag.exe. Such malware prevented the system that is responsible for checking monetary transactions from functioning properly. This type of malware is difficult to detect. According to the cyber-security company FireEye, it takes around 146 days for an organization contaminated with evtdiag.exe to become aware of its compromised systems.

One of the reasons why Bangladesh Central Bank was chosen for such a financial heist seems to be its weak information security. For example, the Bangladesh Forensic Training Institute found that the hacked bank used cheap second-hand switches to connect to global SWIFT network. The switches were not only old but also not protected by a firewall. The lack of appropriate information security protection is the main reason for the success of cyber-attacks on financial institutions. In this regard, Kaspersky Lab expert Sergey Lozhkin stated: "When it comes to cyber-infrastructure, then even the largest banks are not always careful enough to merely update the software their employees use. Sometimes they just forget about it or don't think important and so the malware can use the system's vulnerability to penetrate it."

Section 5. Comparative analysis of the three attacks

To compare the three attacks, we will briefly overview the similarities and the differences between them. All three attacks have the following similarities:

• Hackers compromised the infrastructure used by the targeted banks with the aim to obtain credentials of operators that are authorized to initiate and approve monetary transactions in the SWIFT network;
• Attackers managed to obtain valid credentials of SWIFT operators unlawfully;
  
• The transactions were initiated by sending fraudulent SWIFT messages on behalf of people whose credentials have been unlawfully obtained;
• Hackers targeted big amounts of money;
• The crimes were committed through multiple fraudulent transfers; and
• The targets chosen by the hackers were financial institutions, rather than their individual customers.
  

However, there are differences
in the three financial heists discussed above, such as:

• Difference in the stolen amounts;
• The Vietnamese attack was not successful;
• The Vietnamese attack was conducted by using the infrastructure of a third-party, whereas the other two attacks were conducted by using the infrastructure of the targeted banks.

Our analysis shows that all three banks were targeted using similar hacking techniques. Hence, the global banking community can easily prevent further attacks by adopting appropriate measures. The greatest challenge in preventing information security attacks is that it is complicated to uncover new unforeseen attack patterns.

The use of similar hacking techniques also shows that the three attacks may be conducted by the same attacker or group of attackers. In an article dated 26^th of May 2016, Symantec argued that the attacks on the TP Bank and Bangladesh Central Bank are linked to a hacking group in North Korea. More specifically, Symantec stated: "Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited, targeted attacks against financial institutions in the region means these tools can be attributed to the same group."

The possible attacker, a state-sponsored group, called "Lazarus," has been conducting cyber-attacks since 2009. The following attacks are attributed to "Lazarus": (1) the DDoS attack on U.S. and South Korean websites (MYDOOM) in 2009, (2) the attacks on South Korean media, financial, and critical infrastructure in 2011, (3) the attack on a conservative South Korean media organization (ISOne) in 2012, (4) the attacks on South Korean broadcasters and banks in 2013; and (5) the attacks on Sony Pictures in 2014. The "specialty" of the group is Backdoor.Destover, a highly destructive Trojan, which was used in the famous attacks against Sony Pictures Entertainment.

6. Conclusion

The three breaches examined in this article indicate that the global banking system is still vulnerable to cyber-attacks. If the global financial network does not take urgent measures to stop the new wave of cyber-attacks on banks, the wave may be transformed in a tsunami resulting in the loss of billions of dollars. The preventive measures may include, but are not limited to, (1) introduction of global certification requirements for outside vendors which connect banks to the SWIFT messaging system, (2) adopting automatic and non-automatic measures aiming to identify suspicious interbank transactions, (3) conducting security audits aiming to identify security vulnerabilities in banking infrastructure, (4) improving information sharing among banks, and (5) creating procedures for a quick recovery of stolen funds.

Some organizations, such as the European Central Bank (ECB), have already responded to the attacks in Ecuador, Vietnam, and Bangladesh. Banks in the Eurozone will be obliged to notify the ECB about "significant" cyber-attacks. The notifications will be sent through a real-time alert system. The ECB will examine the notifications and provide the banks in the Eurozone with information on how to avoid information security breaches. The ECB may also share the collected data with other central banks, such as the US Federal Reserve and the Bank of England for protecting global banking networks in the future.

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Get Started

References

1. '$1bn hack heist: Kaspersky Lab exposes massive bank attack, describes scheme to RT', RT, 16 February 2015. Available at https://www.rt.com/news/232627-banks-hacked-russian-expert/ .
2. '2016 Bangladesh Bank heist', Wikipedia. Available at https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist .
3. Arnold, M., 'European Central Bank creates cyber attack real-time alert system', Financial Times, 12 May 2016. Available at https://next.ft.com/content/5113afae-1833-11e6-bb7d-ee563a5a1cc1 .
4. Baldwin, K., Layne, N., 'Exclusive: In Ecuador cyber heist, thieves moved $9 million to 23 Hong Kong firms', Reuters, 25 May 2016. Available at http://www.reuters.com/article/us-cyber-heist-hongkong-exclusive-idUSKCN0YG2W9 .
5. Barrett, D., Burne, K., 'Now It's Three: Ecuador Bank Hacked via Swift', The Wall Street Journal, 19 May 2016. Available at http://www.wsj.com/articles/lawsuit-claims-another-global-banking-hack-1463695820 .
6. Boudreau, J., 'Vietnam Success Foiling Hack Shows Risk of Swift Connection', Bloomberg, 16 May 2016. Available at http://www.bloomberg.com/news/articles/2016-05-16/vietnam-bank-hacking-attempt-shows-weakness-of-swift-connection .
7. Finch, G., 'Ecuador Bank Says It Lost $12 Million in Swift 2015 Cyber Hack', Bloomberg, 20 May 2016. Available at http://www.bloomberg.com/news/articles/2016-05-20/ecuador-bank-says-it-lost-12-million-in-swift-2015-cyber-hack .
8. Finkle, J., 'Bangladesh Bank hackers compromised SWIFT software, warning issued', Reuters, 25 April 2016. Available at http://www.reuters.com/article/us-usa-nyfed-bangladesh-malware-exclusiv-idUSKCN0XM0DR .
9. Gopalakrishnan, R., 'Bangladesh Bank heist trail goes cold in Manila as probes falter', Reuters, 23 May 2016. Available at http://www.reuters.com/article/us-cyber-heist-philippines-idUSKCN0YE2RT .
10. Katz, A., 'Swift CEO to Say More Banks May Have Been Breached by Hackers', Bloomberg, 24 May 2016. Available at http://www.bloomberg.com/news/articles/2016-05-23/swift-ceo-to-say-more-banks-may-have-been-breached-by-hackers .
11. Khandelwal, S., 'How Did Hackers Who Stole $81 Million from Bangladesh Bank Go Undetected?', The Hacker News, 25 April 2016. Available at http://thehackernews.com/2016/04/swift-bank-hack.html .
12. Kumar, M., 'Bank with No Firewall. That's How Hackers Managed to Steal $80 million', The Hacker News, 22 April 2016. Available at http://thehackernews.com/2016/04/bank-firewall-security.html .
13. 'Operation Blockbuster. Unraveling the Long Thread of the Sony Pictures Attack', Novetta. Available at https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Ex-Summary.pdf .
14. Peyton, A., 'Swift strikes back over three hack attacks', Banking Technology, 24 May 2016. Available at http://www.bankingtech.com/497642/swift-strikes-back-over-three-hack-attacks/ .
15. Peyton, A., 'Third time unlucky for Swift as Ecuador bank hacked', Banking Technology, 23 May 2016. Available at http://www.bankingtech.com/496932/third-time-unlucky-for-swift-as-ecuador-bank-hacked .
16. Pham, M., Nguyen, M., Finkle, J., 'Vietnam bank says interrupted cyber heist using SWIFT messaging', Reuters, 15 May 2016. Available at http://www.reuters.com/article/us-vietnam-cybercrime-idUSKCN0Y60EN .
17. 'Recent hacks highlight the vulnerability of the cross-border payments system', The Economist, 28 May 2016. Available at http://www.economist.com/news/finance-and-economics/21699458-recent-hacks-highlight-vulnerability-cross-border-payments-system-heist .
18. 'Update on Sony Investigation', FBI, 19 December 2014. Available at https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation .
19. 'Vietnam's Tien Phong Bank says it was second bank hit by SWIFT cyberattack', CNBC, 15 May 2016. Available at http://www.cnbc.com/2016/05/15/vietnams-tien-phong-bank-says-it-was-second-bank-hit-by-swift-cyber-attack.html .
20. Vu, T.-K., Burne, K., 'Vietnam's Tien Phong Bank Targeted in Bangladesh-Like Cyberattack', The Wall Street Journal, 16 May 2016. Available at http://www.wsj.com/articles/vietnamese-bank-says-it-was-target-of-attempted-cyber-heist-1463405095 .
21. Zetter, K., 'That Insane, $81M Bangladesh Bank Heist? Here's What We Know', Wired, 17 May 2016. Available at https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know .

Co-Author

Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.