Another theft through SWIFT. Now in Russia


    UPD2. According to the Central Bank, in 2017, 339.5 million rubles were stolen. It is easy to guess that it is about Globex. The FinCERT review says: “Information was sent to the Bank of Russia about one successful attack on the workplace of the operator of the SWIFT system. The volume of unauthorized operations as a result of this attack amounted to 339.5 million rubles. "

    UPD. The victim bank is Globex. The size of the stolen is estimated in tens of millions of rubles.

    One of the Russian banks fell victim to a cyber attack aimed at stealing money through the international interbank payment system SWIFT. It is known about the attack that it was carried out on December 15th. However, the name of the bank and the amount of damage have not yet been announced. The development of the attack, allegedly organized by the Cobalt group, began with the distribution of malware a few weeks before the incident. Moreover, according to the deputy head of the Central Security and Information Protection Directorate of the Central Bank, Artem Sychev, hackers gained wide access to the infrastructure and could use other withdrawal channels. However, they were interested in withdrawing funds to a foreign bank, so the goal of the hackers was access to SWIFT.

    According to SWIFT, there is no evidence that there was unauthorized access. This means that, most likely, control was gained over the account of the SWIFT operator. History already knows several similar cases with banks from different countries, including the sensational casewith the Central Bank of Bangladesh, where hackers managed to steal the information necessary for authorization during transactions. Then they managed to steal $ 81 million, and in total they tried to withdraw money totaling $ 951 million. A similar attack was launched at the end of 2015 against the Vietnamese bank Tien Phon Bank, but then the bank blocked operations for $ 1 million on time. And at the beginning of 2015, $ 9 was stolen million from the Ecuadorian Banco del Austro. In the summer of 2016, $ 10 million was stolen from a Ukrainian bank. Each time, attackers manage to gain access to the SWIFT system bypassing the protective barriers implemented in banks.

    I am a little aware of the activities of SWIFT and some banks, as for several banks I have already set up two-factor authentication of access to the SWIFT interfaces. Therefore, I will tell you what I see myself. After the largest theft, which occurred just in the Central Bank of Bangladesh, a rather steady course of SWIFT was outlined to increase the security of access to SWIFT networks and its messaging services. Almost immediately, one of the requirements for further certification, allowing the use of SWIFT, was the requirement of two-factor authentication. This measure should stop attackers who managed to intercept the operator’s password. Moreover, at first it was enough for banks to report that they undertook to implement two-factor authentication. Some participants whose active certification did not expire soon decided to postpone any actions.
    Meanwhile, SWIFT in 2017 developed a Customer Security Program and documented organizational and technical recommendations for information security. Security measures include protecting physical access, separation of powers, regular updates, restricting access, and of course, protecting accounts. Now financial institutions must first conduct self-certification, and later, I hope, an external audit to ensure compliance with the new requirements.

    For about a year now, SWIFT has its own implementation of two-factor authentication using one-time codes. The open standard OATH TOTP was taken as a basis, that is, one-time codes exist in their time window. The secret seed is displayed on the operator’s monitor when registering as a QR code by analogy with Google Authenticator. By the way, you can use any mobile application that supports the TOTP standard as a generator, including the same Google Authenticator. My opinion is that SWIFT offers such a basic solution. But there are pitfalls in their implementation. To begin with, the QR code itself, which contains the main secret, is transmitted to the operator’s PC and displayed on the screen, which means it can be intercepted or spied. But the bigger problem is that SWIFT servers are usually (and this is also a recommendation) isolated from the local network and simply do not have access to NTP servers - sources of accurate time, so necessary for TOTP to work correctly. As a result, tokens out of sync can occur at the most unpredictable moment. Some information security services, for example, prefer to use one-time password hardware generators rather than smartphones. This requirement is incompatible with what SWIFT offers. There are other shortcomings in the solution proposed by SWIFT, due to which some financial institutions choose a third-party solution, but, I repeat, this is still better than nothing. In any case, everything described above speaks of SWIFT's attempts to counter existing threats, rather than burying its head in the sand.

    I note that now two-factor authentication is required not only for the operator’s account, but also for other services in the secure SWIFT network, for example, RDP or SSH access to the servers.

    It is not known whether the infrastructure of the bank, which was the victim of the latest attack, was consistent with SWIFT recommendations, but I assume not. Judging by the information available in the media, the Central Bank also issued recommendations to this bank on improving the level of security, but the details are unlikely to be known to the general public.

    Also popular now: