2016 will be remembered as a record year for bank cyber heists – a record likely to be broken in 2017.
Over 11,000 financial institutions, from 212 countries, use SWIFT, the global provider of secure financial messaging services, every day to transmit billions of dollars globally. 2016 showed a notable increase in sophisticated cyber heists targeting some of these financial institutions, with more than a dozen banks worldwide reporting a breach of their connection to the wire transfer network.
The largest reported cyber theft of 2016 took place in February when hackers stole $81M from the Bangladesh Bank, laundering it through several Philippines casinos. Our attack brief outlines how the attackers gained entry to the bank’s network and moved laterally, using malware to send fraudulent wire transfer requests to the Federal Reserve Bank of New York. An alert employee noticing a typo ended up being the only thing that got between the cyber criminals and their goal of stealing nearly a billion dollars. The attack revealed how a weak link in the global financial network could open financial institutions to advanced and very targeted cyber attacks.
As we mentioned in an earlier blog, cyber thieves also gained access to the legitimate wire transfer credentials of an employee of Banco del Austro in Ecuador, to successfully transfer $12M and, in June, cyber criminals stole $10M from a Ukrainian bank, copying the method used against the Bangladesh Bank.
Last week, Russia reported their central bank has been under attack throughout 2016 and lost approximately 2 billion rubles (about $31M USD) from hackers targeting commercial banks. It is still unknown who was behind these attacks and how the funds were stolen but early forensics point to similarities of the Bangladesh attack and the other 2016 aforementioned cyber heists.
The success of such brazen attacks has been eye opening for financial institutions and for the organization behind the wire transfer system that had been considered impenetrable.
Gartner analyst Avivah Litan recently told Bank Info Security that SWIFT “didn’t seem to have some of the very basic fraud-detection controls that could have stopped the heists – looking for abnormal payees, looking for remote account takeover, looking for abnormal access. These are all fraud-detection measures that the U.S. regulators have mandated that U.S. banks put in.”
Lessons to Learn from Cybersecurity Breaches
Recently Reuters discussed the challenges with illusive networks CEO Shlomo Touboul. Banks are dramatically under-reporting attacks because they’re worried about regulatory action or damage to their brand, shaking customers’ confidence, and reducing stock values. Some countries, like the UK, do not require reporting to authorities or customers on cyber attacks. But the sophisticated attacks of 2016 ended up shining a major spotlight on the industry’s weaknesses.
In order to tip the scales back in favor of defenders, illusive networks introduced Wire Transfer Guard™, the first cyber deception technology built specifically to detect, divert and mitigate advanced attacks on wire transfer networks. Using sophisticated deception techniques , Wire Transfer Guard deploys a purpose-built family of deceptions to lure attackers to multiple decoy wire transfer systems, provides real-time source-based forensics, and detects attacker’s lateral movements aimed at the global wire service network in real-time. Because the attackers cannot distinguish the decoy or deception data from the real wire transfer network data, they are unable to gain the valuable information they’re targeting.
Wire Transfer Guard combined with illusive networks’ Attacker View™, which reveals all attack paths to the network, enables defenders to understand where their network is exposed and make calculated decisions on how to optimize their deception policy and improve their IT security posture significantly.
No arrests have been made in the February 2016 Bangladesh cyber heist, despite a tremendous team investigation between the FBI, Interpol, Bangladesh police and Philippine authorities. To date, only $15M has been recovered.
These advanced cyber crimes of 2016 make it abundantly clear that a proactive approach to cybersecurity is necessary. In our new report, we examine and explain why the financial industry must move from a focus on prevention security to one that is continuously monitoring the network to detect attackers early, and delivers detailed forensic data that can be used to mitigate attacks before sensitive data is compromised.
All SWIFT trademarks are owned by S.W.I.F.T. SCRL, Avenue Adèle 1, 1310 La Hulpe, Belgium
Subscribe to the Proofpoint Blog