What we need to learn from the biggest online bank robbery in history

By Michael Woods

The latest cyber security report, from cybersecurity firm Symantec, indicates that cyber criminals known as Lazarus Group have been targeting financial institutions since October 2015. These criminals are linked to a string of aggressive attacks since 2009 including Sony Pictures in 2014 and the recent attacks on banks’ back-office payment systems which are connected to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. The attacks targeted financial institutions' internal payment processes. The locally created malicious messages were entered into the local payment application and were then sent through the SWIFT network. The SWIFT network consists of 11,000+ institutions connected over 200+ countries.

Why does this matter?

In February of this year, attackers compromised systems at the Bangladesh Central Bank, and sent a number of payment instructions over its interface with the SWIFT network. These instructions totalled US$951M, of which $101M were processed by the Federal Reserve Bank of New York with US$81M being unrecovered. Banco del Austro in Ecuador, was also reported to have lost US$12M to attackers using fraudulent SWIFT transactions in January 2015. Vietnam’s Tien Phong Bank attack was thwarted only when instructions were declined. A bank in Philippines was targeted as early as October 2015, whose malware shares code with tools used by Lazarus group with details still being uncovered.

How did they get access?

The criminals gained access through the use of advanced persistent threat (APT) techniques by installing malware on these financial institutions networks. The criminals were able to access not just the funds transfer systems themselves, but also the logging and monitoring mechanisms, enabling the attackers to subvert those as well and prolong their access and attack. This indicates the criminals had a detailed insight of the target environment, controls, processes and business logic.

Cybersecurity on its own is not enough

This heist demonstrates the need to enhance coordination between cybersecurity, anti-fraud, and anti-money laundering (AML) disciplines. While cybersecurity is necessary to protect the business against financial crime in general, financial institutions must integrate cybersecurity with two other key elements: insider threat management and anti-fraud transaction analysis.

Regulatory pressure on dealing with cybercrime is rising

In the wake of these incidents, global regulators have further increased their focus on cyber security. For example, in an interview at the Reuters Financial Regulation Summit on 17 May, the SEC Chair, Mary Jo White, is reported citing cyber-attacks as being the biggest risk facing the financial system. Organisations need to act decisively and will need to continuously think differently to deal with this threat.

What banks should do

Financial institutions need to be proactive assuring business and technology controls are effectively operating to prevent and detect this bespoke malware attack. As criminals change their attack vector with future malware iterations, dynamic tactical defences should be planned and tested to immobilise the threat.

It’s time to re-think digital and business processes, assure technology is safeguarded and build a secure culture to remain one step ahead of criminals. Working together as a community with shared thought leadership and continued information sharing will provide the dynamic defence techniques required to confront these threats.

 View Erin Anzelmo’s profile on LinkedIn

Connect with Michael Woods

Read more articles on