I had a short blog post on the Bangladesh-Bank SWIFT hacking shortly before I went on a two month long vacation. Since then, the story has become more and more frightening. It is no longer about Bangladesh Bank and its cheap routers: the hacking now appears to be global in scope and sophisticated in approach:
- BAE Systems have identified parts of the malware that was used in the Bangladesh-Bank hacking. This malware “contains sophisticated functionality” and “appears to be just part of a wider attack toolkit”.
The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future.
The wider lesson learned here may be that criminals are conducting more and more sophisticated attacks against victim organisations, particularly in the area of network intrusions (which has traditionally been the domain of the ‘APT’ actor).
- More than a year before the Bangladesh-Bank hacking, a total of $12 million was stolen from Banco del Austro (BDA) in Ecuador through SWIFT instructions to Wells Fargo in the US to transfer funds to a number of accounts around the world. The matter came to light only when BDA sued Well Fargo to recover the money.
Neither bank reported the theft to SWIFT, which said it first learned about the cyber attack from a Reuters inquiry.
- In 2015, there had been an attempt to steal more than 1 million euros from Vietnam’s Tien Phong Bank through fraudulent SWIFT messages using infrastructure of an outside vendor hired to connect it to the SWIFT bank messaging system. TP Bank did not suffer losses because it detected the fraud quickly enough to stop the transfers.
SWIFT now admits that there were “a number of fraudulent payment cases where affected customers suffered a breach in their local payment infrastructure”. The whole set of press releases issued by SWIFT on this issue is worth reading.
The picture that emerges out of this is that on the one side there are well organized criminals who are building sophisticated tools to attack the banks. They may or may not be linked to each other, but they are certainly borrowing and building on each others’ tools. Their arsenal is gradually beginning to rival that of the APT (Advanced Persistent Threat) actors (who are traditionally focused on espionage or strategic benefits rather than financial gains). Very soon global finance could be attacked by criminals wielding Stuxnet-like APT tools re-purposed for stealing money.
On the other side is a banking industry that is unable to get its act together. Instead of hiring computer security professionals to shore up their defences, they are busy hiring lawyers to try and deflect the losses on to each other. It is evident that the banks are not sharing information with each other. Worse, my experience is that information is not even being shared within the banks. I have heard horror stories in India of security firms who have detected vulnerabilities in the IT systems of banks being told by the IT departments not to mention these to the top management. These IT people think that everything is fine so long as top management does not know about the problems. The top management in turn thinks that things are fine so long as the regulator does not know that there is a problem. I hear reports of banks quietly reimbursing a customer’s losses without either fixing the problem or reporting it to the regulators or other authorities. Most of the stories that I hear are from India, but the evidence suggests that the situation is not any different elsewhere in the world.
This state of denial and discord in the banking industry provides the hackers the perfect opportunity to learn the vulnerabilities of the banks, improve their hacking tools, and increase the scale and scope of their attacks. At some point, of course, the losses to the banking system would become too big to sweep under the carpet. That is when the confidence in the financial sector would begin to erode.
Another problem for the banks is that in their lawsuits against the paying banker, the victim bank is raising the issue of “red flags” and “suspicious transactions” to argue that the paying banker should have halted the payment. With large amounts of money at stake, this argument would be made by skilled lawyers and may even be successful in court. If that happens, it would set up a dangerous precedent against the banks themselves. So far, banks have taken the stand that their customers are responsible for the transactions so long as the valid authentication was provided. Bank customers typically do not have the resources and inside knowledge to challenge this stand. The inter-bank litigation is very different and has the potential to overturn the established distribution of liability.
I have not so far talked about nation state actors getting into the attack. Any nation state would love to hack the banks of an enemy country. Some rogue states that are excluded from global finance might even want to try and disrupt the global financial system. India is one of the countries at serious risk of an attack from a resourceful nation state, but as I look around, I see only complacency and no sense of concern let alone paranoia.