Skip to main content
close search
site logo

Bangladesh Bank Hack Exploited SWIFT Software

Published April 26, 2016
By Matthew Heller

The recent cyber heist at Bangladesh’s central bank suggests the SWIFT payment platform at the heart of the global financial system is more vulnerable to hackers than previously understood, according to a report by U.K. security researchers.

BAE Systems said Monday that once the attackers, using malware, got inside the Bangladesh Bank’s computer network, the hackers modified the Alliance Access server software, which banks use to interface with SWIFT’s messaging platform, so they could make fraudulent cash transfers and hide the evidence.

SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is used by 11,000 banks and other institutions. The still-unidentified hackers tried to make fraudulent transfers totaling $951 million from the Bangladesh bank’s account at the Federal Reserve Bank of New York, of which $81 million is still unaccounted for.

The malware used in the attack targeted “a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again,” BAE said in a blog post. “All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”

Investigators probing the heist had previously said the hackers had broken into Bangladesh Bank computers and taken control of credentials that were used to log into the SWIFT system. “The BAE research shows that the SWIFT software on the bank computers was probably compromised in order to erase records of illicit transfers,” Reuters said.

SWIFT told Reuters it was aware of malware targeting its client software and had released a software update to “assist customers in enhancing their security and to spot inconsistencies in their local database records.” It also has warned financial institutions to scrutinize their security procedures.

According to Bangladesh police, the bank’s computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.

BAE said the custom malware contained “sophisticated functionality for interacting with local Swift Alliance Access software running in the victim infrastructure.”

Editors' pick

  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023

Company Announcements

View all | Post a press release
Wealth Inequality the Result of Pure Randomness, Tufts University Study Suggests
From Society for Industrial and Applied Mathematics
November 21, 2023

Want to share a company announcement with your peers?

Get started

Read next
  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Dec. 4, 2023
image/svg+xml
Industry Dive is an Informa business
© 2023 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell