Malware targeting banks' payment systems uncovered following Bangladesh Bank cyber-heist

Bangladesh Bank attackers used malware designed to exploit SWIFT payments software

"All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed."

That is the warning of the computer security arm of defence contractor BAE Systems, which was called into to investigate the $81m cyber-heist in February at Bangladesh Bank, the central bank of Bangladesh.

SWIFT is the global payments system infrastructure that banks around the world use to transfer funds from and to different bank accounts. It confirmed to Reuters today that it is aware of the malware that BAE believes had exploited its client-system software.

The malware was used to make a series of payments from Bangladesh Bank's account with the Federal Reserve Bank in New York to accounts set up by the fraudsters at banks in Sri Lanka and the Philippines, and to erase records of the transfers after they had been made.

"Investigators probing the heist had previously said that the still-unidentified hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. But the BAE research shows that the SWIFT software on the bank computers was probably compromised in order erase records of illicit transfers," reported Reuters.

The series of payments were only stopped when the fraudsters made a simple spelling mistake for one of the beneficiary accounts, and one of the correspondent banks in the chain responsible for transferring the money queried the transfer. About $101m was transferred out of a total of $951m in transfers set up by the fraudsters before the payments were stopped - and only $20m recovered.

Although the attack happened in February, news only emerged at the beginning of April, but since then more and more information has come out - most of it painting Bangladesh Bank in a bad light.

The task of both tracing the money and the source of the attacks has been made more difficult by the bank's inadequate security. There was no firewall separating the payments system from the rest of the network, physical security was also lackadaisical, and the bank had deployed $10 switches bought second-hand to route payments communications.

The malware uncovered by BAE has been labelled "evtdiag.exe" and was found on a malware repository - not on the bank's servers. However, BAE Systems' Adrian Nish, head of threat intelligence at the company, believes it was used to modify the database that logs the bank's SWIFT payments so that they would not appear in the printout that the bank's staff would analyse every day.

The obfuscation would give the thieves extra time to launder their gains and to disappear, as well as helping them to erase traces of the attack.

"The technical details of the attack have yet to be made public, however we've recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure," wrote BAE's Sergei Shevchenko in a blog post describing how the malware may have been used in the attack.

He continued: "This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers' tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place."

SWIFT is a cooperative organisation owned by 3,000 financial institutions, including all the major banks, and used by some 11,000 banks and other financial institutions.