Researchers have determined that those who stole approximately $81 million from the Bangladesh Bank most likely did so by hacking into SWIFT’s client software.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunications, provides banks and other organizations with secure messaging services. According to its 2015 traffic, more than 11,000 organizations and more than 200 countries are connected to its platform.
SWIFT spokeswoman Natasha Deteran confirmed to Reuters that the financial cooperative is aware of malware targeting its client software and intends to release a software update on Monday that will attempt to block future incursions by the malicious software.
The malware, known as “evtdiag.exe,” was found by <span class=”articleLocation”>security researchers at British defense contractor BAE Systems on a malware repository.
BAE is fairly confident attackers used evtdiag.exe to steal $81 million from the Bangladesh Bank, for it was compiled close to the date of the bank heist, contained information about the bank’s operations, and was uploaded from Bangladesh.
The malware has yet to be definitely linked to the Bangladesh Bank’s infected servers.
Adrian Nish, BAE’s head of threat intelligence, believes evtdiag.exe was designed to make a slight change to SWIFT’s Access Alliance software installed at the Bangladesh Bank, allowing the attackers to modify a database. That initial foothold then potentially enabled the hackers to monitor incoming records of transfer records and to remove traces of money orders they made.
“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in,” Nish said. “I guess it was the realization that the potential payoff made that effort worthwhile.”
Along with issuing a security update, SWIFT intends to publish an alert warning banks how they can protect themselves against evtdiag.exe and other forms of malware.
That security bulletin will likely emphasize the need for basic security controls and defensive measures.
“Whilst we keep all our interface products under continual review and recommend that other vendors do the same, the key defense against such attack scenarios is that users implement appropriate security measures in their local environments to safeguard their systems,” Deteran said, as quoted by Reuters.
Those include the use of a firewall and reputable hardware, which was found to be lacking at the Bangladesh Bank prior to the heist.
Forensic experts’ investigation into the incident is currently ongoing.