In the post SWIFT, Hackers, Casinos and a Billion Dollar Bank Job i gave an overview of what happened and some of the lessons learnt from the Bangladesh Bank heist in February 2016. Interestingly BAE Systems released technical details around how they think the hackers managed to cover their tracks. The Two bytes to $951m is a must read for anyone using SWIFT payments. The article is quite techy, as i was reading it i made the following simple notes which may be useful when you think about payment processing and bank statement reconciliation at your company.
It is important to note that the BAE article does NOT state how the fraudulent payments were entered and approved in the Bangladesh Bank SWIFT Alliance Access system – but informs us how the hackers managed to hide those payments so they remained undetected. Also, keep in mind the knowledge and sophisticated methodology that is used by the hackers to make fraudulent payments and then hide the details – could this happen at your company?
1. Install Malware that is able to interact with SWIFT Alliance Access
The important thing to know here is that SWIFT Alliance Access is SWIFT’s messaging software that allows banks and corporates to connect to SWIFT and exchange messages with one another.
The hackers managed to install customised malware at Bangladesh Bank, and it was running on the same network as the SWIFT Alliance Access software.
2. Understand the SWIFT operating environment
The malware was able to provide the hackers with information about the environment. The hackers came to know important technical details about the Bangladesh Bank environment. Which processes are running, the transaction Ids being used and importantly an IP address to which they could relay the information back to – sometimes referred to as a Command and Control IP address.
3. Update mandatory SWIFT Payment business checks so they are bypassed
By now the hackers had installed the malware, knew the SWIFT environment and went about modifying the configuration of the SWIFT Alliance Access software so that it bypassed certain checks. They did this by manipulating a file that checked for an error, if an error was found additional validation logic was executed. But in this case, the malware was used to remove the error check – as a result, the validation checks that might have revealed a problem were never invoked.
In other words, if any balances were out of sync they wouldnt have been picked up because the malware hid such anomalies – everything was okay!
4. Scan SWIFT FIN Messages and delete fraudulent transactions from the network
By scanning certain directories on the SWIFT Alliance Access the hackers were able, through a lookup file (also installed by the hackers), to search for certain strings – for example “20: Transaction”, “Sender :”. Using SQL the Message Id was retrieved and the transaction deleted from the local network. This removed the details and history of the fraudulent payment so that it remained undetected.
5. Notify a Command and Control location of when somebody logs into and out of the SWIFT Alliance Access
All of the Bangladesh Bank SWIFT operating information was being relayed back to an IP address. This information enabled the hackers to understand how the SWIFT Alliance Access environment was being used (timings of transactions, when someone logged in/out, the users…).
6. Update the Bank Statement Balances to hide Fraudulent Payments
Clearly the hackers knew what an MT940 looks like. By scanning certain directories and using a lookup file, the hackers were able to search for and find key bank statement values such as “62F” (closing balance), “60F” (opening balance) and “19A” (transaction amount) . Using SQL the hacker is able to see who is logged-on at a given time (step 5) and use their credentials to see and update balances and amounts to the desired value. Again, hiding details of any fraudulent payments that have been made.
7. Update Printer Reports to Hide Fraudulent Payment
So having taken care of the balances within the SWIFT Alliance Access, the other place a person can potentially spot a unknown transaction is through the SWIFT payment Confirmation Messages that are printed. Here the hackers identified the confirmation messages for the fraudulent payments and manipulated the data that was sent to the printer, overwriting the information with zeros.
8. How to deal with the SWIFT Security Gap
Install the SWIFT security update before 12th May!!!
- Reuters - Exclusive: SWIFT warns customers of multiple cyber fraud cases
- Reuters - Bangladesh Bank hackers compromised SWIFT software, warning issued
- Bobs Guide - Warning: Cyber-attackers used SWIFT for fraud
- TripWire - SWIFT Software Hacked in Bangladesh Bank Heist, Find Researchers
- ARS Technica - Billion dollar bank hack: SWIFT software hacked, no firewalls, £6 switches
- Hacker News - More than 11,000 Global Banks on HIGH ALERT!
- BBC - Bangladesh hack ‘targeted bank system software’
- Bloomberg - Swift Hack Is a Story of Globalization and Poverty
- RT - SWIFT admits international bank transfer system was hacked
- Guardian - Swift: fraudulent messages sent over international bank transfer system