On April 30, The New York Times reported that the Federal Reserve Bank of New York had transferred $81 million to another bank in the Philippines. Not so bad right? A large sum of money to most of us, but business as usual for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. The transfer was authenticated and authorised; by all accounts it was a valid transaction. However, that’s where the story gets interesting and takes a sinister turn. Hackers had set up camp inside Bangladesh’s Central Bank, gathering information that included valid codes for the SWIFT network. This allowed them to carry out the brazen theft of $81 million, raising questions of security for the banks and for SWIFT as the self-proclaimed experts in secure and reliable financial messaging. The fallout of this attack should be enough to force them to make changes to their 3rd party connection requirements, especially if they are to remain trusted by the international banking sector. But the question remains: who’s to blame?
Where should improvements be made? Who should be accountable? Should the Bangladesh Central Bank take the rap for being this exposed to hacking for such a prolonged period of time? Alternatively, should we expect more from SWIFT? Who should be responsible for the security of the customers’ connection to the network and should we expect them to care about the security controls customers have or the extent to which they are exposed via their customers? I’d suggest that it’s SWIFT that has to make the changes to its 3rd party connection requirements, especially if they are to maintain high levels of transaction integrity. However, this is a simple answer to a complex problem, attacked by an even more complex threat. For now, let’s take a short lesson in threat analysis and look at who might have been behind this million-dollar heist.
Advanced Persistent Threat, or APT, is the term information security specialists use to describe a group of organised individuals who have malicious and often criminal intentions. Advanced, because they are sophisticated; they have organisational structures with logistics, procurement, operational, financial and possibly legal teams all working in a coordinated fashion. Persistent, because their goals are not for the faint hearted; they will spend months if not years, connected to your networks, running reconnaissance, looking for information they can use to successfully achieve their goals. Threat, because eventually they will use their advanced persistence to cause harm: steal money, company secrets, financial statements, manufacturing details or pretty much anything they like.
In my eyes, this attack has some of the indicators of an APT. The New York Times explains that “The hackers seemed to time the attack perfectly: When officials from the Fed [New York Federal Reserve bank] tried to reach out to Bangladesh, it was a weekend and there was no one working. By the time central bankers in Bangladesh discovered the fraud, it was the weekend in New York and the Fed offices were closed.” They report that the crime was concealed through malware that disabled a printer in the Bangladesh Central Bank in order to prevent officials from viewing the logs relating to fraudulent transfers. This level of sophistication sounds very much like an inside job. However, it would be no ordinary inside job; the insider could well be a plant. Remember, there’s $81 million at stake. If you think these groups don’t play on this scale and to this degree, think again.
Mandiant released a report in 2013 on a specific APT they called, unsurprisingly, APT1. Let me give you some alarming details about what Mandiant discovered over their 9-year research into APT1. These extracts are from the intel report that you can read for yourself at http://intelreport.mandiant.com/
• Since 2006, Mandiant has observed APT1 compromise 141 companies spanning 20 major industries.
• Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organisations’ leadership.
• For 91 of the 141 companies, APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was 1,764 days, or four years and ten months.
• Among other large-scale thefts of intellectual property, we have observed APT1 stealing 6.5 terabytes of compressed data from a single organisation over a ten-month time period.
While this is all quite alarming, we nevertheless have to ask ourselves, what does it have to do with the Bangladesh Central Bank and SWIFT? As I said, I believe the attack on the Bangladesh Central Bank was from an as yet unidentified APT group and I believe that the bank needs to do more. Furthermore, SWIFT has limited control over the security of the banks and financial institutions that use its network, along with the provision of their security controls. That said they, arguably, have the most to lose, so you’d think they’d try and impose some kind of baseline security control set to join the network.
Disturbingly, by their own admission, the New York Times reported SWIFT had said the thieves had carried out similar heists at other banks on its network by sneaking into the heart of the global banking system. For SWIFT to maintain the integrity of its service, it really needs to start enforcing minimum security requirements for all customers connecting to the network. Banks are no strangers to audits, so why should SWIFT be any different? They could demand a minimum standard of security controls, similar to PCI-DSS, then audit customers connected to their network to ensure compliance.
SWIFT is the one ring that binds them all. They are in the perfect position of actually being able to affect change in this saga, offering the integrity of service that their user-base surely demands. Come on SWIFT, serve and protect.