Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks commented below on SWIFT/Russian central bank.
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
Verizon’s 2017 DBIR report shows financial institutions get breached almost twice as much as the next most breached vertical, healthcare. Most cyber attacks today are financially motivated, cybercriminals “rob banks because that’s where the money is.”
The two methods to steal money from banks commonly used by cyber gangs are ATM jackpotting and SWIFT wire transfers.
Banks know this and spend heavily on countermeasures and security response. Collectively J.P. Morgan, Bank of America, Citibank and Wells Fargo spent $1.5 billion in 2016 to battle cyber crime.
Our banks and financial institutions are all interconnected today, which creates major risks and international groups of criminals in various countries are monetizing these risks.
For example, in 2016 hackers stole $81 million from the Bangladesh Central Bank via SWIFT using Odinaff malware on a long weekend. The initial attack vector in such attacks is usually spear-phishing. An employee of a bank gets an email with an MS Office document that has a macro that downloads Odinaff malware. Attackers then try lateral spread using tools already on the computer – Windows components like Powershell or WMI or PsExec. By using Microsoft tools, they are effectively circumventing endpoint security solutions. In another similar case in 2017, hackers attempted to steal $170 million from Union Bank of India via SWIFT.
SWIFT is a vast messaging network used by banks to send and receive money transfer instructions. In November, SWIFT issued a 16-page warning report to banks on the growing sophistication of digital attackers. They listed new creative techniques used by attackers:
– gaining Administrator rights for operating systems
– manipulating software in memory,
– tampering with legitimate functionality to bypass two-factor authentication
– deploying highly covert malware
To combat these threats, SWIFT launched a cyber threat intelligence sharing service: SWIFT ISAC portal, where malware file hashes and YARA rules and attack Indicators of Compromise could be downloaded by SWIFT customers. They also stress the importance for each bank to practice “defense in depth” through the combination of multiple layered cyber defense components, barriers and counter-measures.
Hackers have successfully targeted the Russian central bank before, breaking into accounts by faking client’s credentials and stealing more than $30 million in 2016.
The stability of our financial institutions is threatened by these types of attacks and they should serve as a call to action for international law enforcement cooperation on defending our global financial systems.