Bangladesh Bank cyber-heist hackers used custom malware to steal $81 million

Hackers behind the Bangladesh bank heist created malware to compromise the SWIFT financial system. Security researchers said the malware allowed attackers to modify a database logging the bank’s activity over the SWIFT network, to delete records of outgoing transfer orders and to intercept incoming transfer confirmation messages, and to manipulate both account balance logs and a printer used to make hard copies of the transfer orders.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a cooperative owned by 3,000 financial institutions. SWIFT software is supposed to securely send and receive information about financial transactions; the messaging platform is reportedly used by 11,000 banks worldwide. SWIFT admitted to Reuters that it was aware of malware targeting its client software “Alliance Access,” which is not used by all 11,000 banks.

The malware that manipulated the SWIFT’s Alliance Access was discovered by researchers from BAE Systems. BAE’s head of threat intelligence, Adrian Nish, told Reuters it was the most elaborate scheme from criminal hackers that he has ever seen. 

“I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in. I guess it was the realization that the potential payoff made that effort worthwhile,” he said.

The potential payoff was supposed to be around $1 billion ($951 million), but the hackers were discovered after stealing $81 million routed to accounts in the Philippines. They might have pulled off the entire cyber heist, except Deutsche Bank got suspicious after noticing a typo in an order to transfer cash from Bangladesh’s account at the Federal Reserve Bank of New York to other banks; the hackers misspelled “foundation” as “fandation.” The massive cyber heist from February was originally blamed on the fact that Bangladesh Bank had no firewall and used second-hand $10 switches. The SWIFT system was connected to bank workstations, so the attackers only needed to infect a PC with malware for it to spread to the SWIFT system.

A software update will be released today to “thwart the malware,” according to SWIFT spokeswoman Natasha Deteran, but “the malware has no impact on SWIFT’s network or core messaging services.” The software update will “assist customers in enhancing their security” and help “spot inconsistencies in their local database records.”

BAE released an advisory with technical indicators, including the IP address of the server in Egypt used by the attackers to monitor Bangladesh’s SWIFT system, as well as details about the “evtdiag.exe” malware that helped the hackers hide their tracks by altering information in the SWIFT database.

BAE told Reuters the malware was customized specifically to attack the Bangladesh Bank, but “the general tools, techniques and procedures used in the attack may allow the gang to strike again.”

According to the BAE Threat Research blog, the malware contains “sophisticated functionality” and is part of a “wider attack toolkit;” the tools are “highly configurable and given the correct access could feasibly be used for similar attacks in the future.” By changing only two bytes of data, the attackers gained control over the bank’s SWIFT system and database.

The researchers identified “evtdiag.exe” on an online malware repository, but they have not analyzed the infected servers.

“The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database,” they wrote. “The tool was custom made for this job and shows a significant level of knowledge of SWIFT Alliance Access software, as well as good malware coding skills.”

The researchers go into detail about how the malware monitors SWIFT Financial Application (FIN) messages, monitors logins and manipulates balances as well as the printer.

“This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim,” they said.

Although “many pieces of the puzzle are still missing,” such as “how the attackers sent the fraudulent transfers, how the malware was implanted and who was behind this,” BAE warned, “all financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.”