Skip Navigation
BlackBerry Blog

Cylance vs. the SWIFT Attacks

It turns out that cybertheft isn’t just for isolated hacking groups any more. Security researchers have tied together a series of attacks on banks in Bangladesh, the Philippines and Vietnam after identifying segments of code used in the 2014 Sony Pictures breach and several 2013 attacks on South Korean companies. All three of these banking attacks are now widely believed by computer security experts to have originated from North Korea.

If the allegations are correct, this marks the first time a nation state (rogue or otherwise) has been involved in a cyberattack for purely financial gain.

To make the situation even more worrying, the attackers also gained access to SWIFT, formerly thought to be the most secure banking system in the world.

In the world of international banking and finance, this is huge (read: scary) news.

What is SWIFT?

The Society for Worldwide Interbank Financial Telecommunication – SWIFT – is a super-secure network that allows financial institutions to send each other coded messages about financial transactions. Founded in Brussels in 1973, SWIFT grew from a tiny hub of 240 banks in Europe and North America to a sprawling network used by financial institutions of all sizes in more than 209 countries and territories.

SWIFT is now the backbone of most international transactions, and has set the industry standard for syntax in financial messages.

According to a press coverage report released by the New York Times Company, "Virtually every major commercial bank, as well as brokerage houses, fund managers and stock exchanges, uses its services. SWIFT routes more than 11 million transactions each day and is used by 11,000 banks and companies to move money from one country to another — one reason that it is a tempting target for criminals.”

Allowing one financial system to handle such a high percentage of worldwide banking transactions brings about an obvious problem: security.

Recent SWIFT Attacks

SWIFT’s reputation as “the Rolls-Royce of payment networks” came crashing down in February 2016 after a brazen hacking attack netted cyberthieves $81 million from Bangladesh’s central bank. The attack was traced back to hacker activity penetrating SWIFT’s Alliance Access software, which connects external banks to SWIFT’s central messaging system.

An attack on a commercial bank in Vietnam followed shortly after, with apparent links between the two attacks. Both attacks involved the use of malware, which repurposed real SWIFT messages using stolen bank employee credentials.

After accessing SWIFT using the stolen credentials, the hackers delved deep inside the system and recovered a number of cancelled and rejected payment requests. They then doctored the amount of money requested, changed the timestamp and the payee information, then resubmitted them to SWIFT. After the funds had been stolen, the attackers deployed malware that accessed SWIFT’s databases, erased all record of the transfers, and deleted the manual confirmation messages and paper printouts that had the potential to reveal the theft to bank employees.

Wells Fargo Hit by SWIFT Attacks

U.S. banking giant Wells Fargo also fell victim to a SWIFT-based attack in January 2015, although officials are hasty to point out that Wells Fargo itself wasn’t breached. However, details recently emerged via a lawsuit that Banco del Austro (BDA), based in Ecuador, is suing Wells Fargo after the American bank transferred $12 million of BDA’s money to undisclosed external beneficiaries in response to faked SWIFT fund transfer requests placed by cybercriminals.

This lawsuit is considered unusual due to the fact that one bank is taking its correspondent bank to court and thus making the details of the breach public, risking reputation damage to both banks. The case hinges on the fact that the falsified SWIFT transfer requests were placed outside of BDA working hours and were of an unusually large size. BDA asserts that Wells Fargo should have flagged the transactions as suspicious activity.

In the court filing, Wells Fargo countered that liability should fall squarely on BDA due to the fact that the cyberthieves gained access to the SWIFT login credentials of a BDA employee, meaning the SWIFT messages were fully authenticated and therefore BDA’s security policies were at fault. Wells Fargo claims that due to the excellent security reputation of SWIFT, they had no reason to suspect foul play was afoot.

The trial continues, but SWIFT is not a party to this lawsuit as neither the network nor its employees were at fault for the breach.

Potential For SWIFT Abuse Said to Be “Enormous”

Although trusted by millions as the ultimate in banking security, SWIFT has previously allowed the C.I.A and the F.B.I. to privately examine an estimated “tens of thousands” of financial transactions, in a controversial post-9/11 data-sifting operation known as the Terrorist Finance Tracking Program (TFTP). Financial transactions by individuals believed to have ties with Al-Qaeda were monitored, although this monitoring was limited primarily to methods of moving money into and out of the United States, such as wire transfers.

When revealed, this government operation drew intense public and internal criticism concerning legal and privacy issues.

''The capability here is awesome or, depending on where you're sitting, troubling,'' said one former senior counterterrorism official, speaking on condition of anonymity. While tight controls are apparently in place, the official also cautioned that ''the potential for abuse is enormous.''   

SWIFT has since publicly announced that the attacks were just one puzzle piece of a coordinated campaign against banks utilizing SWIFT, but did not explicitly blame North Korea for the attack. It also clarified that connection points to its network had been breached, rather than the actual system itself.

It also shared the attack vector: malware that targets a PDF reader application used by banks to check statement messages.

“The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both,” read SWIFT’s official statement to users following the attack. The network went on to drive home an important message to its users: “Please remember that as a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environment.”

SWIFT Advises Banks to Review Security Policies

SWIFT has issued numerous warnings in the past urging banks to step up their security measures. SWIFT has also urged banks to report all cyberattacks, which often go unreported over fears of reputation damage and time-consuming risk management investigations.

In today’s massively interconnected and globalized world, the SWIFT attacks spotlight the risks taken by the banking industry by relying on a single financial system made up of a hodge-podge of banks with wildly differing levels of online protection and cybersecurity. As the CEO of MasterCard recently put it: smaller banks are the weak link in the chain. After all, why bother trying to break into a big bank and circumvent their security, when you can simply break into a smaller, less well protected bank and send fake money requests to the big bank?

In the case of the Bangladesh attack, the bank's complete lack of firewalls and their use of cheap, pre-owned $10 switches to connect their own computer network to SWIFT was implicated as being key to the multi-million-dollar breach, in a cost-cutting move security experts have called "disturbing."

One cannot help but wonder that if the supposed most-secure banking system in the world can be compromised by hackers via its weakest links, how secure are the other vital systems we rely on to lead our daily lives?

Live Demonstration: CylancePROTECT vs. the SWIFT Attacks Malware

These are the sorts of novel threats that CylancePROTECT excels at preventing. Cylance’s mathematical and artificial intelligence based approach to endpoint protection means that CylancePROTECT does not require first contact in order to protect against new malware. In the current threat landscape, detecting a threat generally means you’ve already been compromised.

Researchers at Cylance tested CylancePROTECT against the malware files associated with the SWIFT banking attacks. We started by copying over a ZIP file and extracting the malicious samples to our desktop in order to be analyzed. In the video, you’ll see that we have kept the CylancePROTECT event window open throughout the process, so we can watch our progress in real time as the files are reviewed.


Figure 1: Malicious files associated with the SWIFT attacks are loaded onto a machine protected by CylancePROTECT

You will see that the endpoint is protected because the files are reviewed, pre-execution, by CylancePROTECT and moved to the quarantine folder. Lastly, we reviewed the Events and Threats tab to verify that the files have been detected.

We discovered, as expected, the endpoint had indeed been protected from the threat. 


Figure2: Malicious files detected and quarantined pre-execution by CylancePROTECT

Our Research team has created this short video showing CylancePROTECT taking on the malware associated with the SWIFT banking attacks:


VIDEO: CylancePROTECT vs. the malware associated with the SWIFT banking attacks

Convinced that the next generation of endpoint security is right for your organization? Contact a Cylance expert to get started!


 Believe the Math!

The Cylance Research and Intelligence Team

About The Cylance Research and Intelligence Team

Exploring the boundaries of the information security field

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the forefront of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.