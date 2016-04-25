(Adds that it is still not known how attackers created the
fraudulent messages)
By Jim Finkle
April 25 The attackers who stole $81 million
from the Bangladesh central
bank probably hacked into software from the SWIFT financial
platform that is at the heart of the global financial system,
said security researchers at British defense contractor BAE
Systems.
SWIFT, a cooperative owned by 3,000 financial institutions,
confirmed to Reuters that it was aware of malware targeting its
client software. Its spokeswoman Natasha Deteran said SWIFT on
Monday released a software update to thwart the malware, along
with a special warning for financial institutions to scrutinize
their security procedures.
The developments coming to light the unprecedented
cyber-heist suggest that a lynchpin of the global financial
system could be more vulnerable than previously understood
because of weaknesses that enabled attackers to modify a SWIFT
software program installed on bank servers.
The new evidence suggests that hackers manipulated the
Alliance Access server software, which banks use to interface
with SWIFT's messaging platform, in a bid to cover up fraudulent
transfers that had been previously ordered.
The findings from BAE and SWIFT do not explain how the
fraudulent orders were created and pushed through the system.
That remains a key mystery in ongoing probes into the heist.
Deteran told Reuters on Sunday that SWIFT was issuing the
software update "to assist customers in enhancing their security
and to spot inconsistencies in their local database records."
She said "the malware has no impact on SWIFT's network or core
messaging services."
The software update and warning from Brussels-based SWIFT,
or the Society for Worldwide Interbank Financial
Telecommunication, come after researchers at BAE, which
has a large cyber-security business, told Reuters they believe
they discovered malware that the Bangladesh Bank attackers used
to manipulate SWIFT client software known as Alliance Access.
BAE published its findings on Monday in a blog post on
malware that it said thieves used to cover their tracks and
delay discovery of the heist.
The cyber criminals tried to make fraudulent transfers
totaling $951 million from the Bangladesh central bank's
account at the Federal Reserve Bank of New York in February.
Most of the payments were blocked, but $81 million was
routed to accounts in the Philippines and diverted to casinos
there. Most of those funds remain missing.
Investigators probing the heist had previously said the
still-unidentified hackers had broken into Bangladesh Bank
computers and taken control of credentials that were used to log
into the SWIFT system. But the BAE research shows that the SWIFT
software on the bank computers was probably compromised in order
to erase records of illicit transfers.
The SWIFT messaging platform is used by 11,000 banks and
other institutions around the world, though only some use the
Alliance Access software, Deteran said.
SWIFT may release additional updates as it learns more about
the attack in Bangladesh and other potential threats, Deteran
said.
It is also reiterating a warning to banks that they should
review internal security.
"Whilst we keep all our interface products under continual
review and recommend that other vendors do the same, the key
defense against such attack scenarios is that users implement
appropriate security measures in their local environments to
safeguard their systems," Deteran said.
Adrian Nish, BAE's head of threat intelligence, said he had
never seen such an elaborate scheme from criminal hackers.
"I can't think of a case where we have seen a criminal go to
the level of effort to customize it for the environment they
were operating in," he said. "I guess it was the realization
that the potential payoff made that effort worthwhile."
A Bangladesh Bank spokesman declined comment on BAE's
findings.
A senior official with the Bangladesh Police's Criminal
Investigation Department said that investigators had not found
the specific malware described by BAE, but that forensics
experts had not finished their probe.
Bangladesh police investigators said last week that the
bank's computer security measures were seriously deficient,
lacking even basic precautions like firewalls and relying on
used, $10 switches in its local networks.
Still, police investigators told Reuters in an interview
that both the bank and SWIFT should take the blame for the
problems.
"It was their responsibility to point it out but we haven't
found any evidence that they advised before the heist," said
Mohammad Shah Alam, head of the Forensic Training Institute of
the Bangladesh police's criminal investigation department,
referring to SWIFT.
THWARTING FUTURE ATTACKS
Monday's alert from BAE includes some technical indicators
that the firm said it hopes banks could use to thwart similar
attacks. Those indicators include the IP address of a server in
Egypt the attackers used to monitor use of the SWIFT system by
Bangladesh Bank staff.
The malware, named evtdiag.exe, was designed to hide the
hacker's tracks by changing information on a SWIFT database at
Bangladesh Bank that tracks information about transfer requests,
according to BAE.
BAE said that evtdiag.exe was likely part of a broader
attack toolkit that was installed after the attackers obtained
administrator credentials.
It is still not clear exactly how the hackers ordered the
money transfers.
Nish said that BAE found evtdiag.exe on a malware repository
and had not directly analyzed the infected servers. Such
repositories collect millions of new samples a day from
researchers, businesses, government agencies and members of the
public who upload files to see if they are recognized as
malicious and help thwart future attacks.
Nish said he was highly confident the malware was used in
the attack because it was compiled close to the date of the
heist, contained detailed information about the bank's
operations and was uploaded from Bangladesh.
While that malware was specifically written to attack
Bangladesh Bank, "the general tools, techniques and procedures
used in the attack may allow the gang to strike again,"
according to a draft of the warning that BAE shared with
Reuters.
The malware was designed to make a slight change to code of
the Access Alliance software installed at Bangladesh Bank,
giving attackers the ability to modify a database that logged
the bank's activity over the SWIFT network, Nish said.
Once it had established a foothold, the malware could delete
records of outgoing transfer requests altogether from the
database and also intercept incoming messages confirming
transfers ordered by the hackers, Nish said.
It was able to then manipulate account balances on logs to
prevent the heist from being discovered until after the funds
had been laundered.
It also manipulated a printer that produced hard copies of
transfer requests so that the bank would not identify the attack
through those printouts, he said.
