SWIFT, established in 1973, facilitates secure messaging for interbank financial transactions, serving approximately 11,000 financial institutions globally. Cyber attacks on SWIFT primarily exploit vulnerabilities in the systems of member banks, allowing attackers to issue fraudulent transfer requests. These attacks often involve malware, social engineering, and insider threats, with the primary motivation being financial gain through unauthorized fund transfers.
The 2016 Bangladesh attack, where hackers stole $81 million using malware to manipulate SWIFT client software (Alliance Access), set a benchmark for understanding these threats. However, subsequent attacks reveal a pattern of similar tactics, with variations in execution and outcomes.
Detailed Examination of Notable Cyber Attacks on SWIFT
Central Bank of Ecuador Attack (January 2015)
Incident Details:
Target: Banco del Austro (BDA), Ecuador.
Loss: $12 million stolen.
Impact: One of the earliest known SWIFT-related attacks, highlighting credential theft as a primary attack vector.
In January 2015, Banco del Austro (BDA) in Ecuador suffered a cyber heist where hackers stole approximately $12.2 million. The attack involved gaining remote access to BDA’s systems outside normal hours and using stolen SWIFT credentials to send fraudulent instructions to Wells Fargo, transferring funds to accounts in Hong Kong, Dubai, and Los Angeles.
The attack used malware to access SWIFT codes, similar to the Bangladesh case, and exploited operational controls, possibly aided by insider knowledge. Hackers likely compromised the bank’s systems to obtain SWIFT logon credentials, enabling them to send unauthorized transfer requests. The attack was not reported to SWIFT initially, discovered later through a lawsuit filed by BDA against Wells Fargo.
Methodology:
- Credential Theft:
- Attackers obtained legitimate SWIFT credentials through phishing or social engineering.
- They likely targeted employees with privileged access to the SWIFT system.
- Fraudulent Transactions:
- Using the stolen credentials, the attackers logged into the SWIFT Alliance Access software.
- They manually created fraudulent SWIFT messages to transfer funds to overseas accounts.
- Lack of Detection:
- The bank did not have adequate logging or monitoring mechanisms in place to detect unauthorized transactions.
- The absence of multi-factor authentication (MFA) made it easier for attackers to use stolen credentials.
Technical Insights:
- Exploited Weaknesses:
- Reliance on single-factor authentication for accessing SWIFT systems.
- Insufficient monitoring of SWIFT transactions.
- Tools Used:
- Standard SWIFT Alliance Access software (no malware involved; attackers relied on legitimate credentials).
Impact: The financial loss was significant, and BDA later blamed Wells Fargo for not flagging the unusual timing and large amounts, highlighting coordination issues in fraud detection.
Source: Ecuadorean Bank Loses $12 million via SWIFT
Tien Phong Commercial Joint Stock Bank (TPBank), Vietnam Attack (Q4 2015)
- Target: Tien Phong Bank, Vietnam.
- Loss: No funds stolen; attack detected before execution.
- Impact: Demonstrated that the Bangladesh Bank heist was part of a broader campaign targeting SWIFT users.
Incident Details: In the fourth quarter of 2015, TPBank in Vietnam detected and thwarted an attempted cyber heist aiming to transfer over $1.1 million (more than 1 million euros) via fraudulent SWIFT messages. The attack was stopped before any funds were lost, with no impact on the SWIFT system or bank-customer transactions. The bank identified suspicious requests through fraudulent SWIFT messages and halted the transfers by immediately contacting involved parties.
The attack involved malware targeting a third-party service used by TPBank to connect to SWIFT, indicating a supply chain vulnerability. The malware was likely designed to manipulate SWIFT messages, but the bank’s rapid detection prevented any financial loss. The bank has since stopped using the outside vendor on SWIFT’s advice, suggesting the attack exploited the vendor’s infrastructure.
Methodology:
- Initial Compromise:
- Attackers infiltrated the bank’s network using phishing emails containing malicious attachments.
- Once inside, they moved laterally to access the SWIFT Alliance Access server.
- Malware Deployment:
- Similar to the Bangladesh Bank attack, the attackers deployed custom malware to manipulate SWIFT transactions.
- The malware was designed to:
- Create fraudulent SWIFT messages.
- Modify transaction logs to hide evidence of unauthorized activity.
- Disable alerting mechanisms to avoid detection.
- Detection:
- The bank’s IT team noticed unusual activity on the SWIFT server and raised the alarm before any funds were transferred.
Technical Insights:
- Exploited Weaknesses:
- Poor email security practices allowed phishing emails to bypass defenses.
- Lack of endpoint protection enabled the malware to execute undetected.
- Tools Used:
- Malware similar to that used in the Bangladesh Bank attack, indicating a shared modus operandi.
Impact: No financial loss occurred, but the incident underscored the importance of rapid detection and the risks posed by third-party vendors.
Source: Vietnam’s Tien Phong Bank says it was second bank hit by SWIFT cyberattack
Unnamed Commercial Bank Attack (2016)
- Incident Details: In May 2016, SWIFT warned of a second malware attack similar to the Bangladesh heist, targeting an unnamed commercial bank. The specifics, including the bank’s identity and whether funds were stolen, were not disclosed. It was not immediately clear how much money, if any, was stolen in the attack, but SWIFT’s warning suggests it was part of a broader campaign.
- Method: The attack used techniques and tools resembling those in the Bangladesh and Vietnam cases, suggesting a coordinated campaign by sophisticated actors, possibly aided by malicious insiders. Malware was likely used to compromise the bank’s systems, enabling the injection of fraudulent SWIFT messages to transfer funds to attacker-controlled accounts.
- Impact: The lack of detailed information limits understanding, but it indicates ongoing threats and the potential for unreported incidents.
- Source: SWIFT says second bank hit by malware attack
Additional Insights and Trends
- Frequency and Scope: An Eastnets survey from July 2022 found that over four-fifths of banks surveyed had experienced SWIFT-related cyber attacks since 2016, with the problem worsening annually. This suggests a high incidence of attempted fraud, though many may go unreported due to reputational concerns.
- Tactics, Techniques, and Procedures (TTPs): Reports indicate attackers often compromise user workstations in preliminary stages, target banks in high-risk regions (e.g., Africa, Central Asia, East and South East Asia, Latin America), and use the SWIFT interface GUI for fraudulent payments, avoiding back-office systems.
- Evolving Threats: SWIFT’s Customer Security Programme (CSP), launched in 2016, aims to enhance security through mandatory and advisory controls, but attackers continue to adapt, with increased sophistication in malware and social engineering tactics.
Comparative Analysis
The table below summarizes the key attributes of the discussed attacks for comparison:
| Bank/Location | Year | Amount Stolen/Attempted | Method | Outcome |
|---|---|---|---|---|
| Central Bank of Ecuador | 2015 | $12.2 million | Malware, stolen SWIFT credentials | Funds stolen, lawsuit filed |
| TPBank, Vietnam | 2015 | $1.1 million (attempted) | Malware via third-party vendor | Attack thwarted, no loss |
| Unnamed Commercial Bank | 2016 | Unknown | Malware, similar to Bangladesh | Details undisclosed |
Potential Other Types of Attacks
While the primary attacks focus on financial theft, there have been threats of other types, such as Distributed Denial-of-Service (DDoS) attacks. In 2023, groups like Killnet, Anonymous Sudan, and REvil threatened destructive attacks on SWIFT, potentially sanctioned by state actors, but no actual DDoS incidents on SWIFT were reported, suggesting these remain potential rather than popular threats.
Eavesdropping attacks, involving intercepting data in transit, were considered, but no specific reports on SWIFT were found, likely due to the network’s encrypted messaging. Social engineering, including spear-phishing, may be a preliminary step in gaining access, but it’s not reported as a standalone popular attack type on SWIFT.
Implications and Recommendations
These attacks underscore the need for robust cybersecurity measures, including:
- Regular system reviews and updates as recommended by SWIFT.
- Training staff to recognize cyber risks and mitigate social engineering attempts.
- Implementing advanced fraud detection tools, such as behavioral analytics and attack simulations.
- Enhancing third-party vendor security to prevent supply chain attacks.
The unreported nature of many attacks, as noted in the Ecuador case, suggests a broader threat landscape, necessitating increased information sharing and community-wide collaboration, as facilitated by SWIFT’s Information Sharing and Analysis Centre (ISAC).
Conclusion
The other popular cyber attacks on SWIFT, beyond the Bangladesh incident, include the 2015 Ecuador bank heist and the attempted 2015 Vietnam bank attack, both involving malware to send fraudulent transfer requests. These incidents, along with the unnamed 2016 attack, highlight the persistent and evolving threat to the SWIFT network, emphasizing the importance of continuous security enhancements and vigilance.
