It takes changing sixteen characters to steal $951M! No kidding!

It happened in February, and the investigators had some bad news today. They found, that five careless clerks ignorance helped the hackers have their way. “They were negligent, careless and indirect accomplices,” Reuters reported, adding that “attackers had exploited vulnerabilities in the bank’s information security defenses”.

The attackers used the SWIFT wire-transfer network, and the initial amount was as much as $951M! The CBB finally recovered all of it except $81M which evaporated through casinos in the Philippines. The investigative forces included the FBI, the Interpol the Bangladesh and the Philippines police forces. The hackers? They aren’t identified, nor found – yet.

The Bangladeshi politicians first pointed a finger at the New York Fed for not blocking the transaction. The answer explained, that the transaction seemed legal, the attackers used valid identifiers, and the target bank – tadamm! – didn’t have proper information security controls, which should have stopped the hackers in the first place. The attackers used malware, and operated remotely.

But what was this malware, and how could it steal $951M? BAE Systems Applied Intelligence security researcher Sergei Shevchenko explains this:

The tool was “custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills,” says Sergei.

The SWIFT organization went even further. They threatened the poorly performing financial institutions, who lacks the minimum information security policies and procedures, to openly name them, and blacklisting them from using the SWIFT system.

No wonder SWIFT is angry. The hacktool modified two bytes (sixteen characters of code!) in SWIFTs very own software, hacking an authentiaction procedure, changing it’s result from failed, to success. Two bytes! Sergei sums it up: “By modifying the local instance of SWIFT Alliance Access software, the malware grants itself the ability to execute database transactions within the victim network.”

The events once again highlight the need for SOCs, which are Security Operations Centers, with policies and equipment and several layers of security, which could provide an elementary level of safety net for financial institutions. Frankly it’s quite scary that SWIFT have to threaten any institution, instead of the Banks themselves developing up to date security. Without SOCs and awareness, it’s not simply an easy thing to hack a bank. It’s a deed openly asked for!

Lazyness and negligence also contributed from the Bank’s side, and that can also be addressed by trainings and more selective employment policies. Somehow, the human factor is commonly underestimated. I’m actively wondering: why?