The hackers who broke into a global bank-messaging system and stole $81 million from the central bank of Bangladesh in February is likely to be linked with the crew who perpetrated the epic hit on Sony Pictures in 2014. BAE Systems analysts Sergei Shevchenko and Adrian Nish said in a report today the malicious code used across the attacks was so similar the most likely conclusion was all were the work of one group.
The messaging system, SWIFT, is used by 11,000 financial institutions across the world to request and approve money transfers. In the Bangladesh heist, investigators said hackers may have coaxed someone working with the bank to give up credentials, and that thieves exploited the SWIFT system to request money from the Federal Reserve Bank of New York that was then routed to a bank in the Philippines, then transferred to local casinos and stolen, according to the researchers.
The BAE analysts found one malware that did much the same, msoutc.exe. They discovered the malware exhibited “the same unique characteristics”, including process names and encryption keys, as those used by the Sony hackers.
“Whilst there are possibilities that exist which may lead to alternative hypotheses, these are unlikely and as such, we believe that the same coder is central to these attacks. Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone. However, this adds a significant lead to the investigation,” BAE concluded.
In the most recent hack, SWIFT said the attackers had targeted a PDF reader application used by the customer that detailed payment confirmations, altering documents to hide their transactions.
Putting everything together SWIFT explained the security breach like this :
In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.