New Age Bank Robbers Steal Millions in Cyber Heists

By Dave Palmer, Director of Technology, Darktrace

Despite the financial sector taking the lead in strengthening their cyber defence, recent studies have found that financial institutions are 300 times more vulnerable to a cyber-attack than any other verticals. And the reality is, financial services companies will permanently remain an attractive target for cybercriminals: if the attackers succeed, the rewards are immediate.

Not only is the frequency increasing, the nature of attacks is changing – they are becoming more sophisticated and harder to detect. Nowadays, we very rarely hear of bank heists in the traditional sense, of masked men holding staff at gunpoint and fleeing with wads of cash.Instead, 2016 has seen a new wave of bank robberies come to prominence: ‘cyberheists’. In February this year, cybercriminals successfully siphoned US$81million from an account held by the Central Bank of Bangladesh. The instructions to steal the money were issued via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, who facilitate financial transactions for more than 10,000 financial institutions in 212 countries.

The attackers gained access to the bank’s credentials for payment transfers by infiltrating the system in January 2016. They installed malware in Bangladesh Bank’s system which helped them gather information on the bank’s operational procedures for international payments and fund transfers, suggesting it was an inside job. Within one month, the hackers had successfully uncovered the passwords needed to authorise their transactions by logging keystrokes.

Ironically, human error saved the day. Had it not been for a spelling mistake in one of the transfer requests, the damage could have been in the region of US$1 billion. This spelling mistake triggered the alarm, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank. The transaction was stopped,an additional $20 million destined for the Philippines recovered, and 30 other transfer requests, totalling approximately $951 million, were blocked.

It was then discovered that a similar hacking attack on a small Vietnamese bank late last year may have been a practice run for the assault on Bangladesh’s account at the Federal Reserve Bank of New York.Vietnam’s Tien Phong Commercial Joint Stock Bank, known as TPBank, informed the country’s regulators that it had prevented an attempted cyberheist, that had used fraudulent SWIFT messages to try to transfer more than 1 million Euros of funds. BAE Systems also took malware samples from both the Bangladesh and Vietnam bank attacks which appeared to match, supporting the idea that these two attacks are linked.

These breaches highlight the vulnerabilities of bank connections to the SWIFT messaging system, as well as showing how hackers are becoming syndicated and more sophisticated. A particularly significant feature of the Bangladesh cyber heist, is the supply chain vulnerability – a theme we are seeing develop across the wider cyber security landscape. Even if the organisation itself enforces strong security, their third parties may be less resilient and an infection in one of these networks could easily spread. Companies, therefore, are only as strong as their weakest link – from the CEO to office maintenance contractors- every network insider poses a threat. This shows us that perimeter controls like firewalls and anti-virus are not enough – the danger is already inside. Financial institutions, who are particularly at risk to cybercrime due to the sensitivity of their data and size of their networks, need good visibility within their borders if they want to catch attacks in time.

An immune system approach is the answer:machine learning technology which is able to establish a sense of ‘self’ by monitoring the behaviour of all users, devices and the network as a whole to establish a ‘pattern of life’. This in turn enables it to automatically detect abnormal behaviours, which may be indicative of a cyber-attack,in real time, strengthening an organisation’s ability to respond efficiently and mitigate potential risk posed by external and internal threats.

The stats are hair-raising:it takes targeted companies an average of 208 days to realise their systems have been compromised and 67% of investment bank executives believe an attack is highly likely yet only 9% proactively run inward-directed attacks and intentional failures to test their systems on a regular basis. With current security measures, by the time most banks have realised their systems have been compromised, the damage will have been done. As the nature of attacks on financial institutions becomes more sophisticated, so must their approach to cybersecurity.

By Dave Palmer, Director of Technology, Darktrace

Despite the financial sector taking the lead in strengthening their cyber defence, recent studies have found that financial institutions are 300 times more vulnerable to a cyber-attack than any other verticals. And the reality is, financial services companies will permanently remain an attractive target for cybercriminals: if the attackers succeed, the rewards are immediate.

Not only is the frequency increasing, the nature of attacks is changing – they are becoming more sophisticated and harder to detect. Nowadays, we very rarely hear of bank heists in the traditional sense, of masked men holding staff at gunpoint and fleeing with wads of cash.Instead, 2016 has seen a new wave of bank robberies come to prominence: ‘cyberheists’. In February this year, cybercriminals successfully siphoned US$81million from an account held by the Central Bank of Bangladesh. The instructions to steal the money were issued via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, who facilitate financial transactions for more than 10,000 financial institutions in 212 countries.

The attackers gained access to the bank’s credentials for payment transfers by infiltrating the system in January 2016. They installed malware in Bangladesh Bank’s system which helped them gather information on the bank’s operational procedures for international payments and fund transfers, suggesting it was an inside job. Within one month, the hackers had successfully uncovered the passwords needed to authorise their transactions by logging keystrokes.

Ironically, human error saved the day. Had it not been for a spelling mistake in one of the transfer requests, the damage could have been in the region of US$1 billion. This spelling mistake triggered the alarm, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank. The transaction was stopped,an additional $20 million destined for the Philippines recovered, and 30 other transfer requests, totalling approximately $951 million, were blocked.

It was then discovered that a similar hacking attack on a small Vietnamese bank late last year may have been a practice run for the assault on Bangladesh’s account at the Federal Reserve Bank of New York.Vietnam’s Tien Phong Commercial Joint Stock Bank, known as TPBank, informed the country’s regulators that it had prevented an attempted cyberheist, that had used fraudulent SWIFT messages to try to transfer more than 1 million Euros of funds. BAE Systems also took malware samples from both the Bangladesh and Vietnam bank attacks which appeared to match, supporting the idea that these two attacks are linked.

These breaches highlight the vulnerabilities of bank connections to the SWIFT messaging system, as well as showing how hackers are becoming syndicated and more sophisticated. A particularly significant feature of the Bangladesh cyber heist, is the supply chain vulnerability – a theme we are seeing develop across the wider cyber security landscape. Even if the organisation itself enforces strong security, their third parties may be less resilient and an infection in one of these networks could easily spread. Companies, therefore, are only as strong as their weakest link – from the CEO to office maintenance contractors- every network insider poses a threat. This shows us that perimeter controls like firewalls and anti-virus are not enough – the danger is already inside. Financial institutions, who are particularly at risk to cybercrime due to the sensitivity of their data and size of their networks, need good visibility within their borders if they want to catch attacks in time.

An immune system approach is the answer:machine learning technology which is able to establish a sense of ‘self’ by monitoring the behaviour of all users, devices and the network as a whole to establish a ‘pattern of life’. This in turn enables it to automatically detect abnormal behaviours, which may be indicative of a cyber-attack,in real time, strengthening an organisation’s ability to respond efficiently and mitigate potential risk posed by external and internal threats.

The stats are hair-raising:it takes targeted companies an average of 208 days to realise their systems have been compromised and 67% of investment bank executives believe an attack is highly likely yet only 9% proactively run inward-directed attacks and intentional failures to test their systems on a regular basis. With current security measures, by the time most banks have realised their systems have been compromised, the damage will have been done. As the nature of attacks on financial institutions becomes more sophisticated, so must their approach to cybersecurity.