![Page 1: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/1.jpg)
++What does it take to steal $81M?
Oliver Simonnet
Swiss Cyber Storm - 2018
MWR InfoSecurity
![Page 2: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/2.jpg)
+ SWIFT from an attackers perspective
+ Attacker TTPs
+ Why it’s so easy!
+ Oh, I mean, why it’s so hard!
+ In that case, Why you should even care?
+ What’s being done about it?
What are we going to talk about?
![Page 3: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/3.jpg)
SWIFT
SWIFT Infrastructure 101
Bank A
Create Authorise Admin
Bank B
Bank C
Messaging Interface
CommunicationInterface
App User Interface
Middleware
Business Logic Systems
General IT Users
![Page 4: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/4.jpg)
SWIFT Related Attacks (2013 – 2017)
2013Sonali Bank, Bangladesh$250,000 stolen
January, 2015Banco del Austroz, Ecuador
$12 Million stolen
October, 2015Philippines
Further attacks reported
December, 2015Tien Phong Bank, Vietnam
Attempted theft of $1.13 Million
February, 2016The Bank of Bangladesh, Bangladesh$81 Million successfully stolen.
2016 Unnamed Ukrainian Bank, Ukraine$10 Million stolen
October, 2017 The Far Eastern International, Taiwan
$60 Million stolen
October 2017 NIC Asia Bank, Nepal
$4.4 Million stolen
PDF Reader Malware
Keylogger
Email Access
Alliance Access Malware
SWIFT Operator Credentials
Remote Access
![Page 5: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/5.jpg)
2018
February 2018 - $2MCity Union Bank, India
March 2018 – Prevented!Malaysia’s central bank, Malaysia
June 2018 - $10MBanco de Chile, Chile
February 2018 - $6MUnknown Russian bank, Russia
August 2018 - $13.5MCosmos Bank, India
August 2018 - SWIFT WarningMultiple catalogued attempts to hack
into bank systems to issues fraudulent SWIFT messages
October 2018 - FireEye Reports:NK used SWIFT network to try and steal $1.1B from at least 16 institutions since 2014
![Page 6: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/6.jpg)
Attacker TTPs
1.2. Internal threats use existing access
3.1. Moves laterally across internal systems
Netw
ork
Peri
mete
r
1.1. External threats breaches network perimeter and gains access to internal systems
2. Escalates their current user privileges
3. Performs reconnaissance activities to identify targets
END
GOAL
4. Attacker executes their main objective
Timeline: Days… weeks… months… years!?
5. Anti-Forensics
![Page 7: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/7.jpg)
Attacker TTPs
Email Access
Credential Compromise
Phishing
Lateral Movement
UnknownRemote Access
Possible Insider Threat
Malware
![Page 8: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/8.jpg)
SWIFT
What I Thought
Bank A
Create Authorise Admin
Bank B
Bank C
Messaging Interface
CommunicationInterface
App User Interface
Middleware
Business Logic Systems
General IT Users
![Page 9: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/9.jpg)
SWIFT
Upstream System(Custom Bank App)
Communication interface
CI
Messaging Interface
MI
Some Middleware
MID
What I Discovered
INTERNET
Custom Payment App
cPAY
Sanctions/AML
AML
Client Application
cAPP
Enrichment
ENR
Payment Operators
IT User
Input
Security Officer
VerifyAdmins
![Page 10: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/10.jpg)
SWIFT
What I Now Think
Bank A
Create Authorise Admin
Bank B
Bank C
Messaging Interface
CommunicationInterface
App User Interface
Middleware
Business Logic Systems
General IT Users
![Page 11: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/11.jpg)
So…
OK, if it’s so easy then why…
![Page 12: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/12.jpg)
![Page 13: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/13.jpg)
![Page 14: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/14.jpg)
Well…
![Page 15: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/15.jpg)
++
Bangladesh Bank
(Bangladesh)
Federal Reserve Bank of New York
(USA)
$951M(35 messages)
Solaire Resort(Casino)
$29M
30 Messages ($870M) Blocked - Juniper
Pan Asia Bank (Sri Lanka)
RCBC Bank (Philippines)
Wei Kang Xu (Casino)
$31M
Eastern Hawaii Leisure(Casino)
$21M $81M
BCB Heist – Funds Journey
PhilRem remittanceService
![Page 16: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/16.jpg)
Eeeerrrmmm….
Well in that case, why should we even care?
![Page 17: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/17.jpg)
++
$951M(35 messages)
BCB Heist – Funds Journey
Bangladesh Bank
(Bangladesh)
Federal Reserve Bank of New York
(USA)
Solaire Resort(Casino)
$29M
30 Messages ($870M) Blocked - Juniper
Pan Asia Bank (Sri Lanka)
RCBC Bank (Philippines)
Wei Kang Xu (Casino)
$31M
Eastern Hawaii Leisure(Casino)
$21M $81M
PhilRem remittanceService
![Page 18: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/18.jpg)
Industry Response
31st March 2017
+ SWIFT Customer Security Programme (CSP)
+ Set of 27 mandatory/advisory controls
+ Self-attestation via online portal by 1st January 2018
+ Compliant by 1st January 2019
![Page 19: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/19.jpg)
SWIFT CSP
Secure YourEnvironment
Know and LimitAccess
Detect andRespond
![Page 20: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/20.jpg)
SWIFT
What does this achieve?
Bank A
Create Authorise Admin
Bank B
Bank C
Messaging Interface
CommunicationInterface
App User Interface
General IT Users
Business Logic Systems
Middleware
![Page 21: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/21.jpg)
SWIFT
What I Think
Bank A
Create Authorise Admin
Bank B
Bank C
Messaging Interface
CommunicationInterface
App User Interface
General IT Users
Business Logic Systems
Middleware
![Page 22: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/22.jpg)
++
In Conclusion
As we further segregate, isolate and protect SWIFT systems
and users, attackers will evolve.
SWIFT
Are upstream systems secure?
![Page 23: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/23.jpg)
++
Defending payment infrastructure
like SWIFT means understanding
the attackers and building a
defences around that
understanding
In Conclusion
![Page 24: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/24.jpg)
++
Thank you
+ Threat Analysis: SWIFT Systems and the CSP
https://www.mwrinfosecurity.com/assets/swift-
whitepaper/mwr-swift-payment-systems-v2.pdf
+ Defending SWIFT payment systems from attack
https://www.mwrinfosecurity.com/our-thinking/
defending-swift-payment-systems-from-attack/
MWR SWIFT Resources
![Page 25: What does it take to steal $81M? - Swiss Cyber Storm€¦ · SWIFT Related Attacks (2013 –2017) 2013 Sonali Bank, Bangladesh $250,000 stolen January, 2015 Banco del Austroz, Ecuador](https://reader035.vdocument.in/reader035/viewer/2022070814/5f0e06207e708231d43d3dc5/html5/thumbnails/25.jpg)
Questions?
?
?
?
?