The code, which BAE believes was probably part of a broader attack toolkit installed on the affected servers after the thieves gained administrative access, was created to make changes to SWIFT client software called Access Alliance that would hide the hackers’ fraudulent transfers until after the funds had been laundered, BAE said. While its resolve has not changed, the latest malware attack does draw into question the need for respective financial institutions to fortify their security protocols and procedures.
Advertisement
BAE released an advisory with technical indicators, including the IP address of the server in Egypt used by the attackers to monitor Bangladesh’s SWIFT system, as well as details about the “evtdiag.exe” malware which helped the hackers hide their tracks by altering information in the SWIFT database.
According to investigators, one factor that contributed to the success of the attack against Bangladesh’s central bank was the lack of proper segmentation between the bank’s SWIFT systems and the rest of its network.
It’s thought that the malware was part of a multi-layered attack and used on the SWIFT system once Bangladesh Bank admin credentials had been stolen.
Swift has released a software update to assist customers with security. In 2014, it processed 25.6 billion financial messages.
The malware which manipulated the SWIFT’s Alliance Access was discovered by researchers from BAE Systems.
Brussels-based SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative society owned by thousands of financial institutions that runs the world’s largest secure financial messaging network.
According to the BAE Threat Research blog, the malware contains “sophisticated functionality” and is part of a “wider attack toolkit;” the tools are “highly configurable and given the correct access could feasibly be used for similar attacks in the future”. “The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database”, they wrote.
The new evidence suggests that hackers manipulated the Alliance Access server software, which banks use to interface with SWIFT’s messaging platform, in a bid to cover up fraudulent transfers that had been previously ordered. Deteran said that financial institutions would be asked to take special security measures.
A Bangladesh Bank spokesman declined comment on BAE’s findings.
“The key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems. against such potential security threats”, SWIFT said in a statement.
The attackers attempted to transfer $951 million out of Bangladesh Bank’s account at the Federal Reserve Bank of NY in February, but most of the transfers were blocked before completion. Exploiting a vulnerability that allowed them to change two bytes of data, they got control over the SWIFT application and its underlying database.
Advertisement
The malware evtdiag.exe also spoofed physical records sent to printers to prevent officials noticing the hackers’ activity.
