The recent cyber heist at Bangladesh’s central bank suggests the SWIFT payment platform at the heart of the global financial system is more vulnerable to hackers than previously understood, according to a report by U.K. security researchers.
BAE Systems said Monday that once the attackers, using malware, got inside the Bangladesh Bank’s computer network, the hackers modified the Alliance Access server software, which banks use to interface with SWIFT’s messaging platform, so they could make fraudulent cash transfers and hide the evidence.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is used by 11,000 banks and other institutions. The still-unidentified hackers tried to make fraudulent transfers totaling $951 million from the Bangladesh bank’s account at the Federal Reserve Bank of New York, of which $81 million is still unaccounted for.
The malware used in the attack targeted “a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again,” BAE said in a blog post. “All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”
Investigators probing the heist had previously said the hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. “The BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers,” Reuters said.
SWIFT told Reuters it was aware of malware targeting its client software and had released a software update to “assist customers in enhancing their security and to spot inconsistencies in their local database records.” It also has warned financial institutions to scrutinize their security procedures.
According to Bangladesh police, the bank’s computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.
BAE said the custom malware contained “sophisticated functionality for interacting with local Swift Alliance Access software running in the victim infrastructure.”