More banks targeted by cyber criminals in SWIFT payments system attacks

Trojanised PDF reader used to manipulate payments confirmation messages, warns SWIFT

SWIFT, the financial messaging network used by banks across the world to manage payments, has warned banks to expect more attacks targeting its technology.

The warning comes after the organisation revealed that a second attack had been launched against an unnamed bank - which the security arm of BAE Systems has suggested is a commercial bank in Vietnam - in a follow-up to February's attack against Bangladesh Bank.

The Bangladesh Bank attack was only publicised in April, and the bank has been criticised for using obsolete equipment on its network and inadequate IT security. SWIFT has rejected claims by the bank that its own technicians were responsible for errors that left it wide open to attack.

But SWIFT has now warned that the Bangladesh Bank attack was not a one-off. It claims that more banks have been targeted, with the attackers using bespoke malware that indicates that they have an insider's knowledge of both SWIFT's technology and the banks they are attacking.

In both cases so far disclosed, the attackers had not only been able to access parts of the banks' networks hooked to the SWIFT network - which should have been ring-fenced with hardened security - but that they had been able to obtain user credentials and manipulate PDF reports confirming messages in order to cover up the fraudulent payments that had been made.

The attackers have been dubbed Group Zero by investigators - and may still have access to the network of Bangladesh Bank, they warn. "Group Zero may be seeking to monitor the ongoing cyber investigations or cause other damage, but is unlikely to be able to order fraudulent fund transfers," according to newswire Reuters, which first broke the story.

"It appears to have been created by someone with an intimate knowledge of how the SWIFT software works as well as its business processes, which is cause for concern," said Matthias Maier, a security evangelist at networking monitoring company Splunk.

He continued: "Basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.

"Other banks participating in the SWIFT network now need to compare the indicators of compromise shared by BAE Systems with the data generated by their own environment to understand whether or not they have also been affected and how to respond effectively."

The $81m Bangladesh Bank heist in February had been perpetrated after the attackers gained access to its inadequately protected network and sent a series of payment request messages from the Bangladeshi central bank to the New York Federal Reserve. The series of payments totalled $951m, and were only curtailed after a basic spelling error in the name of one of the beneficiaries caused one of the payments to be called into question.