New Wrinkles in SWIFT Hack: Revealed Adversaries, and an Attempt to Heal

The last time we reported on the SWIFT hack, it appeared to be a nine-day wonder. Tech industry pundits were chuckling about Bangladesh Bank’s lack of security, and the fact that the data breach was stopped in its tracks by something as minor as a typo. As the subsequent weeks and months have borne out, however, it appears that the rot goes much deeper than a single bank in a single country. As similar hacks affect more banks in other countries, and a powerful adversary is revealed, how will SWIFT adjust itself to become more secure?

Victims in SWIFT Breach Are Multiplying

The number of banks affected by the SWIFT hack is now greater than one. It is almost certainly three—and it may be as many as twelve. In December 2015, a Vietnamese bank began to detect anomalous funds requests over SWIFT, determined they were fraudulent, and shut them down. An Ecuadorian bank was not so lucky—attackers who compromised SWIFT using the same methods were able to make off with $9 million. Now, the research firm hired by SWIFT says that an additional nine banks, mostly in Southeast Asia, may have been affected. Here’s the kicker—none of those original three banks informed SWIFT of their respective attacks.

Oh, and here’s the second kicker—those attacks may have been carried out by the same North Korean hacking group that breached Sony Pictures.

No One Expects the North Korean Inquisition!

As is so often the case with these analyses, there is no concrete evidence for this attack being one thing or the other. What we do know is that code snippets found in the malware that was used to attack SWIFT has the same signature as the malicious software that was used in the Sony Pictures breach. Specifically, this was the code that the malware used to clean up after itself, the file-wiping code intended to keep the malware’s operational characteristics away from the eyes of security researchers.

Unfortunately, this link can do little except inflame suspicions. Yes, this codebase is shared with Lazarus, the group which is most notably suspected of breaching Sony Pictures on behalf of North Korea. Unlike the victims of security breaches, however, malware groups often and enthusiastically share data with one another. There are many ways that two APT groups could have acquired the same kind of code.

SWIFT Operators Attempt to Put Fixes in Place

As for SWIFT, the operators of the network are scrambling in an attempt to prevent further attacks of this nature. Although the owners of the system are careful to note that the attackers didn’t breach their systems directly, they are still working on ways to detect the kind of anomalous transactions that would indicate SWIFT being misused.

Broadly speaking, this is an excellent first step. As SentinelOne has proved, behavioral detection works in a way that signature-based antivirus can’t match. The fact that either one or two groups used malware with the same component in common—and still evaded signature-based antivirus years later—is only the latest indictment of traditional endpoint and server protection. Once a robust behavior-detection system is in place, all that’s left to do is make sure that banks actually report these breaches when they occur.

Want to learn more about how SentinelOne can give your enterprise the tools it needs to stop malware in its tracks? Contact us to sign up for a demo today!