A recent cyberattack on India’s City Union Bank abused the SWIFT global payments platform to transfer $2 million into accounts in Dubai, Turkey and China. While details of the cyberattack were not made public as the incident is still under investigation, officials claim hackers disabled the bank’s SWIFT-connected printer on Feb. 6, preventing City Union Bank from receiving any acknowledgement messages for the three fraudulent transactions.
“Nobody suspected that it was an attack and thought it was a systemic network failure,” said City Union Bank’s CEO N. Kamakodi. He cited similarities with the $81 million Bangladesh heist in 2016 in which threat actors also disabled Bangladesh Bank’s SWIFT-connected printer in an attempt to hide fraudulent transactions.
The Indian bank managed to block a $500,000 transfer and is trying to recover the remaining $1.5 million.
Threat actors have also successfully abused the SWIFT international payments messaging system of Russian banks, illicitly transferring 339.5 million roubles ($6 million) last year. Details about how threat actors managed to initiate the fraudulent transfers were also scarce, with officials only stating that hackers remotely controlled a computer at the Russian bank prior to transferring the money.
Brussels-based SWIFT said its platform was never actually breached in any of these instances and they’re closely collaborating with affected banks in investigating. While SWIFT enforces mandatory security standards for all customers’ SWIFT-related environments, “customers remain responsible for protecting their own environments,” said SWIFT CEO Gottfried Leibbrandt.
Are Security Standards Enough?
The financial industry is one of the most heavily regulated, and yet cybercriminals still find security blind spots. Besides strong perimeter defenses, strict access control policies, endpoint detection and response tools, and large security operation centers, some bank-operated software systems remain susceptible to memory manipulation techniques employed by advanced malware.
Security technologies that focus on identifying and preventing these memory manipulation techniques could augment currently deployed endpoint security solutions, strengthening the bank’s overall security posture while potentially preventing millions of dollars of advanced malware-powered fraudulent transactions.
By analyzing the previous Bangladesh heist in which actors maliciously patched – within memory – a .dll file belonging to the WIFT’s Alliance software, advanced security technologies such as memory-based introspection could have prevented the heist.
While security standards and best practices are important, securing infrastructures is more than just certifications and ticking compliance checklists. Implementing and deploying layered security defenses that span beyond the operating system, by integrating with bare metal hardware, give banks and any organizations that use virtual workloads unprecedented visibility into advanced threats aimed at compromising their infrastructure.