Cyber thieves hit another bank, through links to Swift network

The Swift logo is pictured in this photo illustration taken on April 26, 2016.
The Swift logo is pictured in this photo illustration taken on April 26, 2016.PHOTO: REUTERS

NEW YORK • Thieves have again found their way into what was thought to be the most secure financial messaging system in the world and stolen money from a bank. The crime appears to be part of a broad online attack on global banking.

New details about a second attack involving Swift - the messaging system used by thousands of banks and companies to move money around the world - are emerging as investigators are still trying to solve the US$81 million (S$111 million) heist from the central bank of Bangladesh in February.

In that heist, the attackers compelled the Federal Reserve Bank of New York to move money to accounts in the Philippines.

The second attack involves a commercial bank, which Swift declined to identify.

But in a letter Swift sent to its users on Friday, the messaging network warned that the two attacks bore numerous similarities and were very likely part of a "wider and highly adaptive campaign targeting banks".

  • A system used by thousands of banks, firms

  • The Society for Worldwide Interbank Financial Telecommunication (Swift) is used by thousands of banks and companies to move money around the world.

    Founded in 1973, Swift provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardised and reliable environment.

    Swift does not facilitate funds transfer: rather, it sends payment orders, which must be settled by correspondent accounts that the institutions have with each other. This is made possible by the use of a common language for international financial messaging.

    Hundreds of billions of US dollars are moved internationally through the Swift system every day by around 11,000 clients in around 200 countries and territories worldwide.

    It bills itself as the "global provider of secure financial messaging services" and claims excellence, community and innovation as core values. All three are now under threat as a result of the recent hacking attacks.

This time, the hackers used malware to target a PDF reader used by the customer to check its statement messages, Swift said on Friday.

It did not say whether it suspected the same hackers or whether more money was taken.

Customers using PDF reader applications to check confirmation messages should take particular care, said Swift.

Hundreds of billions of dollars are moved internationally through the Swift system every day.

The unusual warning from Swift shows how serious the financial industry regards these attacks to be.

Some banking experts say they may be impossible to solve or trace.

Swift said the thieves somehow got their hands on legitimate network credentials, initiated the fraudulent transfers and installed malware on bank computers to disguise their movements.

Swift said in its warning: "The attackers clearly exhibit a deep and sophisticated knowledge of specific operation controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both."

Swift also pointed to another worrying situation: that the gang of thieves may have been able to recruit bank employees to hand over credentials and other key details.

In both cases, the core messaging system of Swift was not breached. Rather, the criminals attacked the banks' connections to the Swift network.

Each bank is responsible for maintaining the security of its connection to Swift. Digital criminals have found ways to exploit loopholes in bank security to obtain login credentials and dispatch fraudulent Swift messages.

Banks, like many major corporations, are constantly under attack by criminals seeking to find the weak point in their defences.

An attack in 2014 on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, but no money was stolen.

Thieves frequently steal bank customers' ATM and credit card credentials.

But these attacks involving Swift stand out, because million of dollars were stolen not from a large number of customers, but from the banks themselves.

It is as if the thieves used their hacking skills to reach inside a bank vault.

Emboldened and enriched, the thieves are likely to strike again, security experts predict.

Security and encryption expert Paul Kocher said: "An event like this changes the risk profile for the banking system, since the attackers will inevitably reinvest some of their profits in new large-scale attacks."


A version of this article appeared in the print edition of The Straits Times on May 14, 2016, with the headline 'Cyber thieves hit another bank, through links to Swift network'. Print Edition | Subscribe