At least $US10 million lost in Ukraine bank transfers

Hot on the heels of the Bangladesh heist in February, a Ukrainian bank has become the latest victim of vulnerabilities in the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT is the global banking messaging system that forms the backbone of the world’s financial system. The theft was carried out in a similar way to the Bangladesh Central Bank theft in February this year.

In this latest incident, hackers have stolen at least $US10 million from the unnamed bank in Ukraine, but this may be the tip of the iceberg. According to analyst reports, dozens of Ukraine and Russian banks have become victims of this syndicated attack on SWIFT and hundreds of millions of dollars have been stolen.

While there is ongoing controversy surrounding the security of SWIFT, Ukraine’s banking sector has also come under repeated criticism for a failure to implement up-to-date security standards and for a slew of other allegedly bad practices.

The cyber criminals appear to be repeating their modus operandi, following the same pattern of attack in each case. Instead of breaching the SWIFT core system directly, the hackers use advanced malware to steal credentials of bank employees and then target vulnerabilities in the access points to SWIFT. The stolen employee credentials enable them to gain access to the SWIFT messaging network and send fraudulent messages initiating cash transfers from accounts at larger banks to disparate accounts around the world.

These hacks are extraordinary because of the enormous amount of money involved, the ambitious choice of target, the impressive technical prowess, the investment in groundwork carried out (more than a year in some cases) and the intimate knowledge of the banking system demonstrated by the hackers. Even months after the theft, much remains unknown about the perpetrators, their origin and their methods.

Risk and reward

Financial gain is still the most common motivator for cyber criminals, but there are a multitude of reasons for the ever increasing frequency of such attacks. Cyberattacks against government organisations are carried out by individuals or groups trying to extract high-value intellectual property or gather intelligence. In some instances, hackers are motivated by the thrill of hacking a famous organisation as witnessed in the recent hacking of Facebook CEO, Mark Zuckerberg’s Twitter and Pinterest accounts and the Quora account of Google CEO, Sundar Pichai.

Hackers are also targeting smaller organisations with greater frequency. While the return may not reflect that offered by the banking sector, small business security is easier to bypass, staff less educated on hacking and social engineering, and the overall risk much lower. Finding a vulnerability is quicker and easier, making low return attacks both viable and profitable.

In one of its more extreme variations, cyber criminals are now providing malware and hacking ‘as-a-Service’ – operating as though they are legitimate organisations. They provide rate cards for a variety of services (from hacking emails, websites and networks to spying and deploying DDoS attacks), offer extensive support and even offer discounts for repeat customers.

What next?

When it comes to cyber security, organisations of all sizes are becoming increasingly at risk. As evidenced with SWIFT, even if your organisation’s core systems are secured, the overarching security of your critical data and systems is at the mercy of external connections and access points to your network.

According to a report by IBM, the most targeted industries last year included healthcare, manufacturing and government organisations around the world, with the average company experiencing a 64 percent increase in the number of security incidents reported.

Protecting your organisational assets and information is no longer a checking-the-box exercise to address compliance requirements. Every company needs a multipronged security strategy that extends beyond annual penetration testing and audits. Even though IT security is largely cast as a technical problem, employees are often the weakest links, becoming easy targets for social engineering attacks due to lack of awareness and relevant training.

For more information on your organisation’s current vulnerability level and for ways to improve your security posture, contact the blueAPACHE account team.