How SWIFT’ly the attacks come!

Payment and transfer clearing systems are the real targets.


The breaches that make the news are the sensational ones. Heartland Payment Systems, Equifax, and JP Morgan all had front-page headlines. These attacks against their customers’ data brought the government and the general public to their feet, clamoring for better protection. And to the credit of the financial industry, they have responded. The size and frequency of breaches have dropped. Take for example the BMO and Simplii breaches in Canada. The attackers didn’t get millions of accounts, but rather tens of thousands. And unlike other breaches, the hackers wanted cryptocurrency instead and held the stolen data “hostage” as they waited for a ransom to be paid. This is a cyber variation of taking a bank manager or another employee hostage to get money from the bank. Unlike the real-world example, this type of cyberattack is hard to mitigate with an “all clear” signal to know the bank is safe.

The question is, why did the hackers want payment from the bank as opposed to other cybercriminals? The reason is simple: This is where the real-world money resides. There has been an increase in attacks against financial institutions. Not for personally identifiable information (PII) but for the cash the banks hold.  

So what is happening? The bad guys have realized there is more money for them in stealing the bank’s money than selling customer information. It makes sense. The level of effort to breach a bank for either data theft or money theft is relatively the same. If they breach the bank and steal the data, they need to hold it, clear it, and get paid. When they steal money, they have payment already, and the financial system provides a ready way to move the money and get access to physical cash.

Two early successful attacks of this type involved Bangladesh Central Bank and Sonali Bank.  These showed that large amounts of money could be stolen and moved to other banks or individuals for withdrawal. If it wasn’t for human error on the hackers’ part, hundreds of millions could have been stolen. More recently, attacks against Banco de Chile show that the attacks are now squarely focused on money theft. The attacks are not against the physical bank themselves but against the underlying settlement systems the banks use. Society for Worldwide Interbank Financial Telecommunications (SWIFT) is a global settlement system that dates back to 1977. Until that time, international bank transfers were done using telex.

It is not surprising that a system designed in the 1970s would be susceptible to modern cyber attacks. The attack against Banco de Chile was done using a variant on an existing malware. This malware attack was a diversion, wiping the boot record of the machines used in the attack. This bricking of the computers slowed the incident response, giving time for the transfers to make their way throughout the system. It is not clear as of yet what malware was used to access the SWIFT system, but it was the real target here, not the destruction of the bank’s infrastructure.

So why wouldn’t existing cybersecurity technologies catch this attack? After all, it was a variation on well-known malware. The problem we have is that most cybersecurity products today are backward facing. They look for what has already taken place in anticipation of it happening again. This “watching” for known attacks is not enough anymore. A simple change often to Tools, Tactics, or Procedures (TTP) can be enough to get past existing technology.  What didn’t change was the behaviors that are seen because of the attack. Potentially leveraging a tool like security analytics would have provided the warning that something was amiss and allow the bank to look more deeply at the early indications of a potential compromise. Since this attack took place on the endpoint, I recommend also reading a recent blog by my colleague, Ron Chittaro, on detecting fileless malware with endpoint UEBA, as well as my blog post on detecting zero-day attacks with security analytics.