Security specialist BAE Systems published blog on Monday April 25th revealing extensive details, including code, of the malware it says was used to hide traces of fraudulent payments by the gang that stole $81m from the Bangladesh central bank last February.
According to the blog, authored by BAE Systems security analyst Sergei Shevchenko, the malware was submitted to a repository website by a user in Bangladesh, and contains “sophisticated functionality” for interacting with SWIFT Alliance Access software that was being run by Bangladesh Bank within its own infrastructure.
“This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers,” explained Shevchenko in the blog. “This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.”
“The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future,” Shevchenko concluded.
SWIFT, the global payments technology platform that is owned by the largest banks, released a statement later the same day which said that the malware: “Can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.”
“We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records, however the key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats.”
SWIFT also added: “Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.”
Additional information: Read the BAE Systems blog here
