Anti-Malware , Cybersecurity , Forensics

Researchers Tie Bangladesh Bank Hack to Sony Breach Mathew J. Schwartz (euroinfosec) • May 13, 2016    

The theft of $81 million from Bangladesh Bank was "part of a wider and highly adaptive campaign targeting banks," SWIFT is warning its 11,000 customers, saying that at least one Vietnamese bank was also breached by the same attackers.

See Also: Proactive Malware Hunting

The May 13 customer alert from Brussels-based SWIFT, a cooperative founded in 1973 and owned by 3,000 financial institutions, is based on an ongoing teardown of the malware that infected Bangladesh Bank, which is being conducted by British defense and security firm BAE Systems.

Attackers attempted to move $951 million out of Bangladesh Bank's account at the New York Federal Reserve via SWIFT messages, and ultimately did transfer $100 million, only some of which has been recovered (see Bangladesh Bank Attackers Hacked SWIFT Software). On May 10, representatives from SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, met with Bangladesh Bank and New York Fed officials met to discuss the attack and related investigations, and issued a joint statement pledging greater cooperation.

But the Bangladesh attack wasn't unique. "What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign," two BAE Systems digital forensic investigators warn in a research report published May 13. Based on the malware used in the bank attacks, the researchers also believe that the hacking group is the same one that targeted Sony Pictures Entertainment in 2014 and unleashed a devastating wiper malware attack, although no such attacks have been reported against SWIFT-using banks.

SWIFT says that hackers also targeted a second, unnamed Vietnamese bank using "a PDF reader used by the customer to check its statement messages." SWIFT did not name the bank or the PDF reader software in question, or detail whether attackers successfully stole any money.

In both bank attacks, "the attackers have exploited vulnerabilities in banks funds' transfer initiation environments, prior to messages being sent over SWIFT," the cooperative's customer alert says. "The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims' ability to recognize the fraud."

How Banks Were Hacked

SWIFT's customer alert says that in both attacks, hackers followed these four steps:

Attackers compromise the bank's environment. Attackers obtain valid operator credentials that have the authority to create, approve and submit SWIFT messages from customers' back-offices or from their local interfaces to the SWIFT network. Attackers submit fraudulent messages by impersonating the operators from whom they stole the credentials. Attackers hide evidence by removing some of the traces of the fraudulent messages.

SWIFT says the main purpose of the Trojanized PDF reader was to effect step number four.

To date, however, SWIFT says it's not clear if any insiders aided the attackers; the FBI reportedly suspects that at least one employee acted as an accomplice. "The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks - knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both," SWIFT says.

"In the meantime we would like to reassure you that the SWIFT network, SWIFT messaging systems and software have not been compromised."

Bank Malware: Technical Teardown

Investigators have linked the two bank attacks together based in part on the "msoutc.exe" malware used by attackers in both cases. "Our research into malware used on SWIFT based systems running in banks has turned up multiple bespoke tools used by a set of attackers," BAE Systems security researchers Sergei Shevchenko and Adrian Nish say in a May 13 blog post, which builds on Shevchenko's previous research into the attempted theft of $951 million from Bangladesh Bank's New York Federal Reserve account.

"What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign," they say. "This led to the identification of a commercial bank in Vietnam that also appears to have been targeted in a similar fashion using tailored malware, but based off a common code-base."

The malware used in the attacks deletes its configuration and log files using wipe-out techniques that are designed to prevent the files from being forensically recovered, and also includes a file-delete function, and the BAE Researchers say both of the techniques used are quite unusual.

But these same wipe-out techniques are identical to those found in a previous case involving msoutc.exe malware, which was analyzed in a U.S. Computer Emergency Response team alert (TA14-353A), issued in December 2014, which details "targeted destructive malware" that was used "to conduct cyber exploitation activities recently targeting a major entertainment company," in what is widely believed to be a reference to the Sony Pictures Entertainment breach (see Report Claims Russians Hacked Sony).

The U.S. government controversially blamed "North Korea actors" for the Sony breach (see FBI Defends Sony Hack Attribution).

How Bank Malware Ties to Sony Hackers

BAE Systems researchers says the msoutc.exe malware also matches a known malware variant - dubbed "Sierra Charlie" - that was detailed in February as part of the Operation Blockbuster report by anti-fraud and analytics firm Novetta, which coordinated an investigation by multiple researchers and organizations into "malicious tools and infrastructure" used by a hacking group it calls the Lazarus Group.

Sierra Charlie is "a spreader type of malware, presumably used to gain a foothold on multiple devices within a target environment before launching further actions," the BAE Systems researchers say.

The Lazarus Group, meanwhile, "has been active since at least 2009, and potentially as early as 2007, and was responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment," according to the Novetta report. "The malware analyzed in this operation and attributed to the Lazarus Group has been used to target government, media, military, aerospace, financial and critical infrastructure entities in a limited geographic area, primarily South Korea and the United States," the report adds.

Attribution: Unclear

But the discovery that the same, unique technical approaches - and even typos in toolsets - featured in both the SWIFT-using bank hacks as well as Sony isn't ironclad attribution, the BAE Systems researchers warn.

"The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade," they say. On the other hand, the clues could be a "false flag" designed to confuse researchers, or the tools could have been bought and sold by a third party.

But the BAE Systems researches don't think those alternative theories hold water. "We believe that the same coder is central to these attacks," they say. "Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone. However, this adds a significant lead to the investigation."

SWIFT Continues Awareness Campaign

In the meantime, SWIFT says it will continue its security awareness campaign, and has strongly urged all banks to conduct a complete review of every aspect of their security programs (see SWIFT to Banks: Get Your Security Act Together).

"As a matter of urgency we remind all customers again to urgently review controls in their payments environments, to all their messaging, payments and e-banking channels," SWIFT says. "This includes everything from employee checks to password protection to cyber defenses. We recommend that customers consider third-party assurance reviews and, where necessary, ask your correspondent banks and service bureaux to work with you on enhanced arrangements."

Finally, SWIFT has urged all users "to be forthcoming" when they suffer any related attacks, "so that the fraudsters can be tracked by the authorities, and SWIFT can inform the rest of community about any findings that may have a bearing on wider security issues."