Four Lessons to Learn From the SWIFT Hacks

In April this year news started to trickle through about an alleged security compromise in which the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment communications network was exploited to steal US $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank. Apparently, but for a spelling mistake that alerted an analyst, the impact could have been a whole lot worse – almost a billion dollars worse.

SWIFT was also reportedly breached again in June this year as hackers made off with $10 million from a Ukrainian bank, while incidents in Vietnam and Ecuador have also come to light in recent times.

The cooperative, owned by 3000 financial institutions, acknowledged "a number of recent cyber incidents” but stopped short of saying a compromise of their own systems is responsible. What does seem to be fact however – certainly in the case of the Bangladesh bank – is that the criminals ultimately compromised and infected a SWIFT ‘server’ located in a dedicated room at the bank and infected it with very specifically customized malware.

Whilst we don’t know exactly how these attacks were perpetrated or what the full extent was it seems apparent that they are just the small tip of a very big iceberg and that a pervasive practice of shoddy architecture, technology and processes by multiple parties have made these compromises pretty much inevitable.

These high-profile incidents often get more attention in the media than they deserve, and while the SWIFT incidents may be another example of this, there are some valuable lessons that corporations in other sectors (even small businesses) can take from what happened in Bangladesh in particular.

1. The Attacker Knows Your Business
According to some commentators, the custom malware used in the attacks "appears to have been created by someone with an intimate knowledge of how the SWIFT software works as well as its business processes”.

This raises a key point that’s easily overlooked in all the noise: our tendency to focus on the technical aspects of cybercrime often masks the fact that money is and always has been the main motive and focus for cyber-criminals. Since the dawn of commerce, criminals have made it their business to know your business just as well as you do in the hope of figuring out how to derive benefit for themselves. SWIFT and the Bangladeshi bank learned this the hard way as criminal hackers infiltrated their most sacred technology and used it to subvert their most important business process.

2. The Bad Guys Really Are Getting In
We constantly speculate and hypothesize about what the bad guys could do, but there’s a kind of cognitive dissonance that somehow allows us to believe it won’t actually happen to us. It’s critical for all businesses, including smaller ones who feel they are too insignificant to matter, to realize that these threats are real, the consequences are serious, and that every business is a potential target.

3. Crime is Evolving, Cyber is Not
The process of monetizing cyber breaches is evolving rapidly. There is complex and robust criminal ecosystem worldwide that sees cybercrime as a business and is intensely interested in monetizing each and every hack and scam.

Spam, carding and other business models have for many years raked in millions of dollars for the various criminal role players but as those get closed down that complex and sophisticated crime ecosystem looks for a new business plan. A number of spin-offs are emerging, including ransomware, which are proving to be more sophisticated, more audacious and ultimately more profitable for the criminals then anything we’ve seen before.

The Bangladesh Bank hack is a good example of this. The sheer gumption of attempting to heist almost $1 billion from the very heart of the global financial system and all the drama associated with this story can easily cause us to see past the more mundane reality here – that the technical modus operandi for this attack was nothing new, but the criminal business plan was.

4. Your People are Your Greatest Threat…and Your Best Form of Defense
It seems apparent that the Bangladesh bank hackers had eyes on the ‘inside’; either within the bank, or within SWIFT. The level of insight they had into the SWIFT platform simply isn’t feasible any other way.

It’s always a difficult conversation to have, but a business’ greatest exposure will always be its own people. There are many reasons to trust your own people and it’s mostly appropriate to do so, but as so many security stories suggest, those inside your organization are still your biggest threat.

However, insiders could also have prevented this attack, and in fact they largely did.

The Bangladesh attack, like so many others, most likely started with a simple phishing email. The power of this approach, apart from its obvious simplicity and effectiveness, is that by compromising the end-user, the attacker assumes all the rights and privileges that user has in your organization.

In this very real sense your employees are your first line of defense: Equip them properly with the training, equipment and support they need to recognize potential attacks and report them to the security team and this popular attack avenue is significantly reduced.

Among all this bad news, there is one aspect of the incident involving the Central Bank of Bangladesh that does give us cause for optimism. The fraudulent transactions were detected by an attentive operator who noticed something amiss and acted appropriately, allowing all but 80 million of the $1 billion stolen to be recovered.

It is often the case in complex computer crimes that a human is also the last line of defense, so by implementing and maintaining simple checks and balances your staff can also be deployed to help spot and stop anomalous behavior and mitigate the impact of a potentially devastating breach.

What’s Hot on Infosecurity Magazine?