ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS - SWIFT systems and the SWIFT Customer Security Program
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS SWIFT systems and the SWIFT Customer Security Program An F-Secure Consulting guide Author: Oliver Simmonet
CONTENTS 01 INTRODUCTION 02 WHAT IS SWIFT? 03 ATTACKS ON SWIFT SYSTEMS 13 COMMON FACTORS 14 WHAT IS SWIFT CSP? 17 IS SWIFT CSP COMPLIANCE ENOUGH? 21 HOW CAN YOU BETTER SECURE YOUR LOCAL SWIFT SYSTEMS? 23 CONCLUSION F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS
INTRODUCTION
The financial sector is and has always much higher gain, requiring less overall effort than customers to implement a number of controls
been a prime target for crime. In modern continuously targeting individual customers. As defined by SWIFT’s Customer Security Controls
times, there is not only the risk of physical such, these attacks have increased over the years, Framework (CSCF), to which customers had to first
attacks, but also cyber attacks. Heist, not only in number, but also in sophistication; self-attest compliance before January 1, 2018. The
espionage, and sabotage campaigns—once attackers are becoming increasingly persistent framework has evolved and now outlines a growing
a threat which could be mitigated with the and adaptive when it comes to bypassing security collection of security controls to ensure that a
implementation of strong physical security controls and compromising critical financial minimal baseline for security is in place across all
controls and procedures—can now all be systems to achieve their end goals. customers’ local SWIFT deployments.
conducted by a wide range of threat actors,
anywhere in the world. Although a number of these attacks appear to be This report reviews a collection of major SWIFT-
criminal in nature (e.g. the Carbanak gang), some related breaches that have occurred over the
Over the years, there has been a steady attacks have shown strong links to nation states years and analyzes the common factors shared
increase in cyber attacks on banks and the such as the Lazarus group (reportedly linked to between them. This is followed by an analysis of
financial services sector as a whole, specifically North Korea). This may be an indication that large- the scope and reliability of SWIFT CSP, identifying
with regards to the development and execution scale financial heists are one of the few remaining its strengths as well as its limitations. Finally, we
of advanced targeted attacks against financial methods of obtaining international currency within provide recommendations on how to further
messaging services, such as SWIFT. This comes heavily sanctioned states. secure these types of critical payment systems
as no surprise. Attackers have realized that against future attacks.
focusing their resources on performing a low As a countermeasure to the current cyber threat
profile, calculated, and sophisticated attack on landscape, SWIFT implemented the Customer
a financial institution has the potential for a Security Programme (CSP). This requires all SWIFT
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 1WHAT IS SWIFT?
SWIFT (the Society for Worldwide Interbank SWIFT does not, however, hold responsibility
Financial Telecommunications) is a secure for the security of its customers’ local SWIFT
messaging service used to transmit financial infrastructure, although it does provide assistance
messages between member institutions around to ensure customers can manage cyber attacks.
the world. SWIFT functions as a member-only An example of this is the Customer Security
cooperative service that is used and trusted by Programme (CSP), which was originally introduced
more than 11,000 financial institutions in more in late 2016.
than 200 countries and territories around the
world.
At its core, SWIFT provides access to the
SWIFT messaging network (SWIFTNet) and its
4 messaging services (FIN, InterAct, FileAct
and Browse). It also provides the standard for
financial messaging and a range of solutions for
the security, creation, management, processing,
and validation of these messages.
Fig. 1. SWIFT logo
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 2ATTACKS ON SWIFT SYSTEMS
There have been a significant number of high- Note: This section will focus on the 2013-2018
profile attacks on SWIFT systems since 2013, timeframe, when the most prominent attacks
with the majority of activity being observed were disclosed. The number of successful
between 2016 and 2018. Almost all these attacks attacks decreased significantly after 2018,
resulted in significant financial loss. likely due to the global success of the CSP
programme.
October, 2017 February, 2018 October, 2018
NIC Asia Bank, Nepal Unknown Russian bank, Russia FireEye Issues Reports:
January, 2015 December, 2015 $4.4 Million stolen $6 Million stole August, 2018 North Korea used SWIFT
Banco del Austroz, Ecuador Tien Phong Bank, Vietnam Cosmos Bank, India network to try and steal
$12 Million stolen Attempted theft of $1.13 Million Unknown, 2016 May, 2018 $13.5 Million Stolen $1.1B from at least 16
Unnamed Ukrainian Bank, Ukraine Banco de Chile, Chil institutions since 2014
$10 Million stolen $10 Million Stolen
February, 2016 March, 2018
The Bank of Bangladesh, Bangladesh Malaysia’s central bank, Malaysia
Unknown, 2013 October, 2015 $81 Million successfully stolen $0 Stolen - Hesist prevented!
Sonali Bank, Bangladesh Philippines
$250,000 stolen Further attacks reported
October, 2017 February, 2018 August, 2018
The Far Eastern International, Taiwan City Union Bank, India SWIFT Issue Warning!
$60 Million stolen $2 Million stole Multiple catalogued attempts
to break into banks to issues
fraudulent SWIFT messages
Fig. 2. Timeline: High-profile SWIFT-related attacks
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 3Together, these high-profile attacks alone In the wake of the Bangladesh heist, there
resulted in the collective theft of around was a shift in attention regarding attacks on
$200,280,000, with the cyber attack on the SWIFT systems. Since then, a number of links
Bank of Bangladesh in 2016 being one of the between the tools and techniques used in these
Russia
largest bank heists in history. During this attacks and advanced persistent threat actors
attack, an attempt to steal $951,000,000 was (APTs), such as the Lazarus group, have been
Ukraine
carried out, with $81,000,000 being successfully speculated on and identified.
exfiltrated to banks in the Philippines, then Nepal
laundered via casinos to fully extract the stolen Bangladesh The number of successful attacks against these
Taiwan
money from the banking system. India systems shows that SWIFT customers must
do more to protect their local infrastructure.
Vietnam Philippines
Analysis shows that attacks on SWIFT systems However, to effectively defend any system
are frequently targeted at institutions with Ecuador Malaysia from an attack, there is a prerequisite to first
weaker policies and procedures. However, understand how attackers are targeting these
there have been reports of both attempted and Chile systems.
successful attacks against institutions of all sizes
and levels of security maturity around the world. The following pages include a breakdown of
some of the most high-profile attacks on SWIFT
A map outlining the geographical locations of systems:
attacks reviewed in this report can be seen on Fig. 3. Map: High profile SWIFT-related attacks
the right.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 4THE BANK OF BANGLADESH
$81,000,000 (OF $951,000,000)
Although chronologically it is not the first, we In January/February of 2015, a number of bank (RBCB) using multiple fraudulent attackers monitored employee behaviour, stole
will begin with the case study of the Central phishing emails were sent to BCB employees, identities. These accounts were credited with user credentials, and deployed bespoke malware
Bank of Bangladesh (BCB). containing a resume and cover letter within a an initial deposit of $500. to initiate the final phase of their attacks. This
.zip file. This was part of a targeted phishing malware was designed specifically to target the
The cyber attack on the Bank of Bangladesh campaign that resulted in attackers gaining Once attackers had gained access to the bank’s SWIFT Alliance Access application, bypassed its
(February 2016) was one of the largest heists, an initial foothold on 3 systems within the internal systems they utilized trusted Windows security controls, and removed evidence from
and most calculated and sophisticated attacks Bangladesh bank in March 2015. software to monitor employee activity. Using printed SWIFT messages. (See diagram below,
against SWIFT systems to date. Investigations this initial foothold, attackers were ultimately left.)
found that the attack had been patiently Following this, in May 2015 multiple bank able to move laterally across the bank’s internal
executed over almost a full year. accounts were opened within the Jupiter branch network in search of SWIFT-connected systems. In order to grant the ability to execute database
of the Rizal Commercial Banking Corporation With access to SWIFT systems obtained, the transactions, the malware targeted a specific
module that was responsible for managing some
Confirmation messages from the SWIFT network of the core functions of the database. (See
are now monitored by the malware. Functionality diagram below, right.)
continues in loop until 06:00, Feb 6, 2016
SWIFT messages sent to the printer are liboradb.dll is responsible for:
tampered with in real-time. • Starting the databases
SWIFT Alliance CONFIG FILE • Backup and restore functions
PRC and FAL files are scanned for SWIFT Alliance • Reading database paths from
Software Server gpca.dat
attacker-defined terms. On match will Software Server registry
extract transfer reference and sender
addresses to form an SQL DELETE
liboradb
statement to delete a transaction. .dll 85 C0 75 04
Messages that contain attacker-defined 85 C0 90 90
terms will be used to form SQL
statements to query Convertible
Attackers gain access Malware decrypts Malware identifies and Currency availability and then update
and install malware. config file containing exploits host’s SWIFT transfer amounts. Malware checks to
Malware infects Malware lists all If found, overwrites 2 Overwritten bytes The malware can now
search terms to scan application to bypass
Attacker checks the ‘Login/Logout’ server running SWIFT running processess see if any processes bytes at a specific force the application execute database
with SWIFT messages. validity check within
Oracle DLL status of the Journal table every hour Alliance software. on server. have the ‘liboradb.dll’ offset with “do to always pass validity transactions.
and sends result to attacker domain over module loaded. nothing” (0x90 NOP) checks.
HTTP. instructions.`
Fig. 4. Overview of the Bangladesh attack Fig. 5. How the malware exploited liboradb.dll
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 5A total of 35 SWIFT transactions worth This mistake was identified as suspicious
$951,000,000 were made. However, only by Pan Asia Banking Corp, which contacted $29M
$81,000,000 of this was successfully the intermediary bank for the transaction Bloombery Resorts
Corp Solaire (Casino)
exfiltrated to bank accounts in the (Deutsche Bank) for verification. This
Philippines via the PhilRem remittance subsequently prompted Deutsche Bank to 4 Messages ($81M)
Succeed! $6M
service. This was due to multiple errors and seek further clarification from Bangladesh, PhilRem
Michel Cruz Acc. remittance
on the attackers’ behalf: resulting in the transaction failing. 30 Messages ($870M) Service
Blocked - Jupiter RCBC Bank
(Philippines) $30M
30 of the 25 messages (valuing $850M) The 4 messages remaining were worth a total Christopher
were rejected because they were being of $81M and were successfully processed by Lagrosa Acc.
$81M
sent to the Jupiter Street branch of RCBC. RCBC. These funds were transferred from Bangladesh CB US Fed William So Go $31M
The key word “Jupiter” caused a sanctions the initial 4 fraudulent accounts to a single $951M $20M Acc.
(35 messages) Alfred Vergara
hit in the US Federal Reserve due to US account, then converted to cash via the Acc.
1 Message ($20M) Deutche
sanctions against an Oil tanker company PhilRem remittance service. Blocked - Typo Bank Pan Asia Bank
named “Jupiter Seaways Shipping”, which (Sri Lanka) $25M
was linked to Iranian efforts to evade PhilRem was used to credit junket operator Enrico Vazquez $21M
Acc. Eastern Hawaii
shipping sanctions. accounts in multiple casinos and transfer Leisure (Casino)
$31 in cash to another junket operator
This left only 5 transactions remaining, directly. The stolen money was laundered
Shalika Foundation Acc.
which valued $101M. However, one of these through multiple private baccarat junkets
messages, intended to credit the Shalika and ultimately extracted and transported to Fig. 6. BCB funds journey
Foundation, contained a typographical Macao where its trail was lost.
error within the recipient account’s name.
The attackers had misspelled “Foundation” This flow has been diagrammed on the right.
ad “Fandation”.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 6SONALI BANK BANCO DEL AUSTROZ
$250,000 $12,000,000
Not much was known regarding the Sonali credentials. These credentials were then used to During the attack on Banco del Austroz (January
Bank heist (2013), and until 2016 it was treated move laterally through the bank’s network and gain 2015), attackers stole the credentials of an
as a ‘cold case’. However, investigators re- access to the bank’s internal SWIFT systems, where unnamed bank employee and used them to
opened the case after the attack on the Bank of $250,000 worth of SWIFT transactions were made. access the employee’s Outlook email account.
Bangladesh in 2016. Using this access, the attackers located
cancelled and rejected SWIFT transfer requests,
It was reported that attackers were able to altered their details, and reissued them,
infect the bank’s internal systems with key- resulting in $12,000,000 worth of legitimate
logger software that was used to harvest user transfer requests being sent.
Attackers deploy a keylogger to steal Using stolen credentials, the attackers The attackers then issue an Attacker steals employee Attacker accesses employee Attacker alters transfer Attacker re-issues transfer
employee credentials. move laterally across the network to unspecified number of SWIFT credentials. outbox in search of rejected request details (e.g., amount, request messages.
find SWIFT-connected systems. transactions. and cancelled transfer destination).
requests.
Fig. 7. Attack Path: Sonali Bank heist Fig. 8. Attack Path: Banco del Austroz
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 7REPORTS FROM THE PHILIPPINES TIEN PHONG BANK
$UNKNOWN $1,130,000 (ATTEMPTED)
In 2016, reports emerged that a bank in the During the attack on the Tien Phong Bank If modification is
Philippines had been the victim of an attack in (December 2015), attackers used malware that successful, it converts the
October 2015. Although this attack occurred 2 specifically targeted the Foxit PDF reader, which file back to PDF, replacing the
months prior to the failed attack on the Tien was known to be used by the bank employees PDF original file. It then executes
when viewing SWIFT statements. Attackers were the legitimate Foxit reader to
Phone Bank in Vietnam (December 2015) and
display the modified PDF file.
the attack on the Bank of Bangladesh (February able to install a malicious version of the Foxit PDF
2016), malware samples recovered from all reader on employee workstations, which altered PDF XML
3 incidents were linked. Furthermore, these statements (when opened) in order to hide PDF
malware samples were found to share similar evidence of any malicious activity. Deletes the original SWIFT
code with malware used by the APT group messages from logs.
Malware poses as fake Foxit Malware reads the XML file
Lazarus. This malware was found to be installed on Executes SQL commands
reader. When users see this and searches for specific
infrastructure provided by a third-party vendor, as the default PDF reader and strings, which it then to delete database logs.
specifically used to provide the bank’s connection open SWIFT messages, it modifies based on its
into the SWIFT messaging network. Through converts the message to XML configuration file. If modification fails, the
a carefully planned and sophisticated attack, and saves it to a temporary malware deletes traces of its
file. activities.
employees at the Tien Phong Bank identified
suspicious SWIFT messages and rapidly contacted
Fig. 9. Execution of malware used in Vietnam hack
all parties involved. This prevented the transfer
requests from being completed and the attempt to
steal $1,130,000 was halted.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 8UNNAMED UKRAINIAN BANK THE FAR EASTERN INTERNATIONAL BANK
$10,000,000 $160,000 (OF $60,100,000)
Details regarding the compromise of an In October 2017, an attack was carried out against
unnamed Ukrainian bank (2016) are limited, the Far Eastern International Bank. During the
though it was reported that $10,000,000 was heist, attackers used malware similar to that used
stolen and that the attack was similar to that of by the APT group Lazarus, which, as reported,
the Bank of Bangladesh. It was further reported has been linked to multiple attacks on financial
that this attack was only one of many that the institutions around the world.
Ukraine and Russia had experienced, resulting in
the loss of “hundreds of millions of dollars”. This malware was used to gain access to and move
through the bank’s internal network in order
to infiltrate SWIFT systems. The attackers then
compromised employee credentials and used this
ORD
information to authenticate to the SWIFT Alliance SSW
Messaging Hub and issue a total of $60,100,000 PA
worth of fraudulent transactions. Although it was
Attackers deploy malware to access Laterally moves across the network Attackers compromise SWIFT
initially understood that all but $500,000 was
the bank internal network. in search of SWIFT-connected operator credentials and use SWIFT
lost, the Financial Supervisory Commission (FSC) systems. software to issue fraudulent
reported that the final amount lost by Far Eastern transactions.
Bank was $160,000. Fig. 10. Attack Path: The Far Eastern International Bank
Following an investigation, it was found that the
bank’s security posture was not in line with the
requirements outlined by Taiwan’s banking law. As
a result, Taiwan’s financial regulator fined the Far
Eastern International Bank $266,524, raising the
total financial loss of the incident to $426,524.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 9THE NIC ASIA BANK CITY UNION BANK REPORTS FROM RUSSIA
$580,000 (OF $4,400,000) $1,000,000 (OF $1,872,150) $6,000,000
In October 2017, there was another attack An attack targeting SWIFT systems was reported Also in February 2018, reports emerged from
on the NIC Asia Bank. Attackers specifically in February 2018, with nearly $2,000,000 stolen Russia’s central bank stating that attackers had
targeted the bank during the Hindu festival from the City Union Bank in India. The attack stolen $6,000,000 via SWIFT. This was stated to
Tihar, one of Nepal’s largest holidays. had similar patterns to that of the Bang of have been achieved by the attacker obtaining
Bangladesh in 2016, in that it first disabled the access to a computer within an unnamed Russian
According to reports, $4,400,000 of fraudulent Bank’s printer, preventing the bank from receiving bank and using this access to transfer the money
SWIFT transactions were issued during the acknowledgement messages. While the printer was into their own account.
attack. However, NIC identified the suspicious disabled, the attackers issued 3 payment messages:
activity and informed Nepal Rastra Bank (Nepal’s
central bank), resulting in the recovery of all 1. $500,000 to Dubai bank, via a New York MALAYSIA CENTRAL BANK
but $580,000 of the $4,400,000. Standard Chartered Bank. This, however, was $UNKNOWN (ATTEMPTED)
blocked immediately.
At the time of writing, investigations into this 2. A second message for $372,150 to Turkey, via a During March 2018, Malaysia’s Central Bank
attack are still ongoing. KPMG India’s forensic Standard Chartered account in Frankfurt. The disclosed that it had been the victim of a cyber
team, who were commissioned by NIC Asia Turkish lender involved blocked the transfer attack, in which threat actors attempted to steal
Bank to perform a digital investigation, had from being finalized. funds via fraudulent SWIFT payment messages.
requested two additional weeks to complete 3. A third payment for $1,000,000 was transferred Although little information was released regarding
their investigations. via a Bank of America account (in New York) to a this attack, Malaysia Central bank did state that:
bank in China. “All unauthorised transactions were stopped
through prompt action in strong collaboration
with SWIFT, other central banks and financial
institutions”.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 10BANCO DE CHILE
$10,000,000
During an attack on Banco de Chile in May The affected systems were disconnected,
2018, attackers disrupted a large number of affecting operations necessary to prevent the
bank systems. Initially, the attack did not seem malware from spreading. However, during this
related to any attempted heist and it was period, a number of anomalous transactions
assumed that this initial wave of activity was were identified within their SWIFT systems.
simply destructive. At this point, the bank realized that the vast
destruction to their systems was not the attack,
On May 24, hundreds of workstations but simply a distraction from the attacker’s end
and servers within Banco de Chile ceased goal of issuing fraudulent transactions. Some
functioning. During the response to the were prevented, but not all. Through utilizing
incident, it was found that MBR Killer had been fraudulent SWIFT transactions, the attack cost
deployed widely across their estate. This was the bank $10,000,000.
a piece of malware that disrupted the Master Uses API CreateFile A to Overwrite the disk’s MBR Carry out the same wiping Force the system to shut
Boot Record (MBR) of a computer’s hard drive. retrieve hard disk’s handle routine to other hard disks down
Disruption to this section of a hard drive is
catastrophic, as it is the first sector of the drive
which is called before loading the operating Fig. 11. MBR Killer wiping routin
system. Once disrupted, the computer is unable
to boot.
Trend Micro, who analyzed the malware,
outlined that it carried out the following 4 steps
during its MRB-wiping routing (see diagram).
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 11COSMOS BANK FURTHER REPORTS AND
$13,500,000 NOTIFICATIONS
In August 2018, reports emerged that Cosmos In August 2018, SWIFT issued a warning to its
Bank in India had fallen victim to a large scale, customers, stating:
coordinated attack in which $13,500,000 was
stolen via a combination of ATM withdrawals “Swift is aware of a number of recent cyber
and fraudulent SWIFT payment instructions. incidents in which malicious insiders or
external attackers have managed to submit
The malware deployed by the attacker targeted Swift messages from financial institutions’ back
the bank’s automated teller machine (ATM) offices, PCs or workstations connected to their
server, resulting in 850 million rupees being local interface to the Swift network”.
extracted from ATMs across 28 countries. This
was composed of 14,049 transactions. During Following this, in October, FireEye released a
the attack, an additional 129 million rupees were detailed report on APT38. Among other things,
transferred to a company’s account in Hong this outlined that North Korea had been using
Kong via 3 fraudulent SWIFT payment messages. the SWIFT network in various attempts to steal
around $1.1B from at least 16 institutions since
2014.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 12COMMON FACTORS
In review of these high-profile attacks, the user error. This comes as no surprise, however. components such as message queues to introduce
first common factor is that almost all of A widely accepted statistic highlights that that new payments, or even front-end application-level
them involve the deployment of some type 95% of all incidents recognize “human error” as vulnerabilities such as cross-site request forgery.
of malware onto a bank’s internal systems. a contributing factor. This is due to the fact that,
Furthermore, we see that attackers frequently regardless of how strong the security of a system The defense against these types of threat
pair this with the compromise of user is, many security controls can be bypassed by actors must begin with a strong security model
credentials. A list of the key tactics used are as human error. As an example, a password used to that is deployed and maintained across an
follows: access a secure system or resource, no matter how organization’s entire estate.
• Phishing complex, will only remain secure if kept secret.
• Malware deployment If the password is inadvertently or deliberately
• Keylogging disclosed, this will undermine any authorization
• Custom developed tooling and authentication controls implemented to
• Study of the environment and security restrict access to that system or resource.
processes
• Credential compromise It should be noted however, that although the
• lateral movement above high-profile case studies all follow this
• Email access particular pattern of well organized and involved
• Possible insider threat attacks, these are only the few prominent and
• Abuse of business processes successful attacks which reach the media. There
are many-many other attacks which happen each
Overall, none of the attacks directly year targeting financial institutions. The risk, in
compromised the SWIFT network itself, and regard to SWIFT systems, highlights that the focus
were instead the result of flaws within the should not always be the protection of payment
security controls deployed across the targeted operators who can issue payment messages, but
bank’s IT environments. Furthermore, attacks also users from the broader environment. Attacks
were frequently paired with some type of can be just as impactful by abusing lower-level
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 13WHAT IS SWIFT CSP?
As a countermeasure within the current The CSCF initially outlined 27 control in 2017, places an emphasis on the security of all systems • A1. Formerly known as a “Full Stack”
cyber threat landscape, SWIFT introduced the 17 of which were mandatory. As the years have within it. The controls used to establish the zone architecture. Both the messaging interface
Customer Security Programme (CSP) to support progressed, so has the framework. Version are grouped across 8 specific principles: and communication interface are within the
SWIFT customers in securing their local SWIFT CSCFv2022 outlines 32 security controls (23 of customer’s local environment.
infrastructure. It requires that they implement a which are mandatory), with each mitigating one of 1. Restrict internal access and segregate critical
set of mandatory and advisory security controls the specific risks that SWIFT customers face: systems from the general IT environment • A2. Formerly known as a “Partial Stack”
outlined within SWIFT’s Customer Security 2. Reduce the attack surface and vulnerabilities architecture. The messaging interface is within
Controls Framework (CSCF). These controls 1. The unauthorized sending or modification of 3. Physically secure your environment the customer’s local environmen, but a service
have been identified by SWIFT based on cyber financial transactions 4. Prevent compromise of credentials provider manages the communication interface.
threat intelligence and in collaboration with 2. The processing of altered or unauthorized SWIFT 5. Manage identities and segregate privileges
industry experts, and are articulated around inbound transactions 6. Detect anomalous activity to systems or • A3. SWIFT Connector Architecture. Only a SWIFT
three main objectives: 3. Business conducted with an unauthorized transaction records software component (e.g. Alliance Lite2) is
counterpart 7. Plan for incident response and information present within the local infrastructure, which is
1. Secure Your Environment 4. Breaches in confidentiality (business data, sharing used to connect to a SWIFT service provider.
2. Know and limit access computer systems, or operator details)
3. Detect and respond 5. Breaches in integrity (business data, computer The application of these security controls varies • A4. Customer Connector Architecture. This
systems, or operator details) based on the SWIFT infrastructure located locally defines a “Connector” architecture that utilizes a
within an institution’s environment. In recognition non-SWIFT provided connector solution, such as
Collectively, these 32 controls create a “Secure of this, SWIFT has grouped architectures into 4 IBM MQ.
Zone” in which, at a minimum, all local SWIFT main models, with some variation:
infrastructure resides. This isolates all local SWIFT • B1. No Local User Footprint Architecture. No
systems from the wider enterprise network and SWIFT-specific infrastructure components are
hosted within the customer’s local environment.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 14The various components in scope of the CSCF are Network Devices: firewalls, routers, etc., within or The components which are not in scope of the If implemented to its fullest extent, the CSCF
broken down as follows: surrounding the SWIFT Infrastructure. CSCF are: should effectively isolate all local SWIFT
infrastructure from the wider enterprise
Secure Zone: a segmented portion of the network Graphical user interface (GUI): software that Back Office Systems: the systems responsible for environment, leaving only the communication
isolating SWIFT systems from the rest of the produces the graphical interface for a user (e.g., business logic, transaction generation, and other channel from the upstream systems and the
enterprise environment. Alliance Web Platform).
activities that occur before transmission of data middleware as an entry point.
into the local SWIFT infrastructure.
Messaging interface: a software product (e.g., The Relationship Management Application
Alliance Access) supporting the use of SWIFT’s (RMA): a SWIFT-mandated filter that enables
messaging services. This is typically connected customers to define which counterparties are General Enterprise IT Environment: the general
directly to the Communication Interface. permitted to send FIN messages to the institution. IT infrastructure used to support the broad
organisation (e.g. Mail server, directory services,
Communication interface: a software product Operators: individual end users and administrators employee PCs, etc.)
(e.g., Alliance Gateway) that provides a link who directly interact with the local SWIFT
between the SWIFT network (SWIFTNet) and the infrastructure.
messaging interface software. Enterprise IT Environment
Operator PCs: the end users’ or administrators’ Internet SWIFT Secure Zone (CSCF Scope)
Back Office
Connector: a local software product (e.g., Alliance computer devices, used to operate or maintain the Systems
Lite2 AutoClient) that facilitates communication local SWIFT infrastructure. Middleware Server
with a messaging and/or communication interface. Back Office Systems
using Middleware
Data Exchange Layer: the flow of data between
GUI Messaging Interface
SWIFTNet Link (SNL): a mandatory software the upstream systems/middleware and the local
Jump Server
General
product for accessing messaging services over a SWIFT infrastructure. IT Services
secure IP network (within fig. 12., the SNL is part of Operator Communication Interface + SNL
General Workstation
the communication interface). Middleware Server: local middleware system Enterprise Users
implementations, used for data exchange between Admin/User
SWIFT Infrastructure HSM and PKI
HSM & PIK: the SWIFT Hardware Security Module the SWIFT-related components (in the local SWIFT
and Public Key Infrastructure. infrastructure or at a service provider) and the user
back office. Fig. 12. A1 SWIFT Infrastructure
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 15IS SWIFT CSP COMPLIANCE ENOUGH?
Implementing all mandatory (and advisory) SWIFT systems are, and will remain, high profile by advanced and persistent threat actors. This
controls specified by the CSCF has targets for all threat actors operating with financial is simply a consequence of the very complex
demonstrated that it can will greatly improve motivations. Regardless of the implementation of nature of infrastructure deployed within financial
the security of local SWIFT infrastructure standard or advanced security controls, there is institutions.
deployments and also ensure that all SWIFT still a significant risk that these systems will have
customers have a baseline standard for their flaws that can be identified, targeted, and exploited
security. However, it should not be seen as a
perfect solution to preventing all attacks.
Within the CSP document itself, it is stated Internal threats use existing access. Attackers move laterally across
Network Perimeter
that CSP should not be considered an internal systems
exhaustive approach to security and it does
not replace a well-structured security and
risk framework. By design, its purpose is to
provide a baseline standard for the security of
all local SWIFT systems, only. As such, general
attack methodologies can still be applied to
the most secure of critical systems. A “baseline” END
GOAL
applies universally as a fundamental basic
standard and it can’t cater for the specifics of
every individual environment. In the case of
CSP, this baseline only covers SWIFT systems External threats breach Attackers escalate their current Attackers perform Attackers execute actions on
and can’t provide overall protection across an network perimeter and gain user privileges. reconnaissance activities to objectives.
entity’s estate. access to internal systems. identify targets.
Fig. 13. General attack methodology
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 16Enterprise IT Environment
The main focus of the CSP is to isolate all SWIFT
systems into the Secure Zone. Without this Internet Back Office
type of security model, attackers could have Systems
the opportunity to access SWIFT systems from Middleware Server
Back Office Systems
any number of locations within the general using Middleware
enterprise network. The attack surface of this
GUI Messaging Interface
type of environment is represented in fig. 14.
Jump Server
General
IT Services
With the implementation of all controls Operator Communication Interface + SNL
General Workstation
within CSCF, the attack surface of the SWIFT Enterprise Users
infrastructure is considerably reduced, removing Admin/User
SWIFT Infrastructure HSM and PKI
a number of attack paths that could previously
be exploited to access key systems. However,
these controls do not render SWIFT systems Fig. 14. Attack Vector: No Secure Zone
impenetrable; a connection from the local
SWIFT infrastructure (Secure Zone) to the
financial institutions back-office systems must Enterprise IT Environment
still remain. This is the weakest link in the
Internet SWIFT Secure Zone
security of all local SWIFT deployments. Back Office
Systems
Middleware Server
Back Office Systems
using Middleware
GUI Messaging Interface
Jump Server
General
IT Services
Operator Communication Interface + SNL
General Workstation
Enterprise Users
Admin/User
SWIFT Infrastructure HSM and PKI
Fig. 15. Attack Vector: SWIFT CSP
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 17The potential attack described on the previous Analysis of this attack shows that the methodology The process is then repeated to further
page is broken down and generalized in the still applies even with all CSP security controls in compromise the isolated SWIFT systems:
following diagram: place. A mapping of the attack to the methodology
is as follows: 1. The attackers breach the SWIFT network
perimeter and establish a foothold within the
1. Compromise the network perimeter and network, then:
establish a foothold within the local network 2. Escalate privileges in order to gain access to
2. Escalate current privileges (e.g. via system SWIFT system functionality
exploits or by obtaining user credentials) 3. Perform reconnaissance to understand how
3. Perform reconnaissance activities to identify the transactions can be performed and authorized;
next target system 4. Execute their end goal (submission of fraudulent
4. Repeat to move laterally across the network in transactions).
Attackers compromise bank Attackers move laterally across Attackers exploit upstream Attackers then exploit SWIFT
search of the end goal (SWIFT upstream systems)
network via vulnerabilities within network in search of upstream systems to breach the perimeter users and/or applications to
external facing systems or via SWIFT systems. of the SWIFT Secure Zone, issue fraudulent transactions.
existing access. gaining access to the bank’s
local SWIFT infrastructure.
Fig. 16. Hypothetical attack path of a SWIFT infrastructure compromise
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 18Although a high-level overview of such an
attack, this methodology of gaining direct
access to SWIFT systems is not the only viable
route for attacks. In 2020, F-Secure published
research demonstrating the viability of creating
fraudulent SWIFT messages without directly SYS_PAY_IN_Q
accessing any systems within the Secure Zone.
This was achieved by abusing the underlying MT ATP
SYS_PAY_OUT_Q
Message Queue (MQ) technologies used to
transport messages to the Secure Zone. In the
MT
event an attacker gains the privileges of a single
MQ administrator within the wider corporate MT
SYS
network, they may have enough access to write
forged SWIFT MT messages directly onto the MT
QM1 MID
queues. A diagram outlining the attack can be
seen on the right in fig. 17. MT
.LAU
MID_FIN_OUT_Q
The research emphasized the importance
of ensuring that the overall standard of an
MT MT
organization’s security is high enough to .LAU • Checksum
protect your highest privileged users from SAG • MAC Code
SAA • System Block (S)
being compromised, even if they operate
• Session / Sequence
outside of the Secure Zone. QM2
• Tracking Ref (UETR)
MT • Trailer (Block S)
Fig. 17. Fraudulent SWIFT MT message injection
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 19CAN YOU BE TOO SECURE FOR
YOUR OWN GOOD?
In the years following CSP’s initial release, Direct access to services within the secure if virtualized—exactly when required, mitigating environment. This would facilitate the freedom to
F-Secure supported multiple clients with zone. Such direct access could be achieved any risk associated with its presence within the perform comprehensive testing without any risk of
securing their SWIFT Secure Zone environments. through the introduction of short-lived firewall environment day-to-day. the assessment disrupting live traffic or exposing
During this time, we observed a new challenge rules, allowing approved “tester” devices either the production environment to unnecessary risk.
emerging: Secure Zones were becoming highly restricted or unrestricted access to select systems Access needn’t be granted to the production
restrictive, making it difficult to perform within the Secure Zone environment, such as web instance of the Secure Zone. It could instead The diagram below illustrates how these high-level
effective security assessments within them. application interfaces and servers for the duration (and ideally so) be to a pre-production instance solutions fit into an existing SWIFT Secure Zone
of an assessment. These firewall rules could then that accurately represents the live production architecture:
In response, we published an article describing subsequently be removed once the assessment
the challenge of testing SWIFT systems in this was concluded, in order to mitigate the risk Enterprise IT Environment
new, highly secured world. The conclusion introduced during the assessment timeframe.
was that SWIFT users should be conscious F-Secure Consultant Admin End User
that although they must restrict and harden Access to a dedicated “testing” system Internet Server Enviroment
their Secure Zone deployment, they must connected to the Secure Zone. This could SWIFT Secure Zone
Testing
also implement processes and controls to be achieved by creating a dedicated security Workstation
allow effective security testing within those assessment workstation with relevant tools Testing Jump Server
Workstation
environments. This could take multiple forms, installed that the tester accessed via Privileged General
IT Services
such as: Access Management (PAM) solutions. The
Messaging Interface GUI
workstation could exist within the Secure Zone or Back Office
within the organization’s server environment with Systems
ad-hoc whitelisted acces. As a security precaution, Communication Interface
this system could be “powered on”—or created,
Middleware Server
HSM and PKI
Monitoring
Fig. 18. SWIFT secure zone architecture
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 20SUMMARY F-Secure has observed multiple attacks in the Lastly, whilst creating a highly restrictive wild and identified additional theoretical and environment is effective and demonstrates a practical attack paths that could be exploited strong capability to protect critical assets, it is by an advanced persistent threat actor to important to also ensure that there are systems compromise an institution’s local SWIFT and processes in place to review and assess infrastructure. A significant number of these these deployments. attack paths were notably restricted following the implementation of the security controls outlined by CSP’s CSCF. SWIFT CSP and the CSCF significantly improve the security posture of an organization’s local SWIFT deployment. Yet, they are often seen as a point-in-time compliance challenge focusing on only key systems, and therefore should not be relied upon alone to prevent attacks against SWIFT deployments. F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 21
HOW CAN YOU BETTER SECURE YOUR LOCAL
SWIFT SYSTEMS?
SWIFT CSCF compliance and a complete CSP PREDICT PREVENT
attestation will ensure and demonstrate that
your local SWIFT systems are hardened and It is key that financial institutions begin by Once attack paths have been identified, an A strong focus should also be placed on
isolated within a Secure Zone. However, there understanding and mapping out the possible analysis of the steps an attacker would take establishing controls that prevent malware
will remain a number of additional systems attack paths that an attacker could take when to reach actions on objectives should be execution. Furthermore, these controls should be
within your wider environment that can be attempting to compromise their enterprise ascertained. The controls surrounding each of redundant in the event that one fails or is bypassed
exploited to invoke payment instructions network and local SWIFT infrastructure. This these steps should be assessed to confidently e.g.:
through SWIFT. The key aspect to recognize process begins at the SWIFT systems and works determine whether or not they would prevent
here is that these additional systems are not backwards towards the enterprise network such actions. This process should include • Mail gateway: highly restrictive controls, file
perimeter in order to identify which systems security assessments of all controls along the types limited to only those necessary, signature
within scope of SWIFT CSP and do not reside
communicate with the SWIFT infrastructure path, as well as establishing an understanding of detection of malware, and sandbox malware
withing the Secure Zone. As such, financial
and the administration procedures surrounding the legitimate use cases for all components. detonation.
institutions must: these systems. Furthermore, all systems and • Endpoint devices: anti virtus technologies
applications deployed within the organization Financial institutions should also establish should be deployed in combination with software
must be subject to frequent security a strong understanding of which systems whitelisting to prevent the execution of arbitrary
assessments and penetration tests. A number of and actions privileged users have access to, binaries, scripts, and document macros.
attempted (and successful) attacks on financial and how an attacker could subvert or abuse • Account control: removing privileges wherever
systems are never publicly reported. As such, these privileges. If these legitimate actions possible and adopting a “just in time/minimal
organizations are advised to build trusted are necessary and cannot be prevented, effective access” approach to authentication,
relationships with other local and international strict monitoring and detection of malicious supported with multi-factor authentication.
financial organizations to share information on behaviors should be implemented. Privileged Access Management (PAM) platforms,
tactics and tooling. can be used to centralize the management of
critical system access
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 22DETECT RESPOND Recovery from the type of cyber heists When prevention fails, it is these detection Attack case studies such as the heist of the referenced through this paper is highly and response capabilities that will ultimately Bank of Bangladesh and other major incidents dependent on a timely response, facilitated determine the overall financial and operational should be mapped to the organization’s by an efficient attack detection strategy. impact of an organization’s local SWIFT systems. The response can then work through Discovering that a compromise has occurred infrastructure being compromised. Therefore, these to establish if an investigation could be when reading an end-of-day report is of little it is important that resources be given to rapidly conducted on their systems in the event use; it is crucial that financial institutions establishing a suitable detection and response of a similar attack. implement robust logging of all key servers strategy surrounding your SWIFT deployment within the environment and maintain visibility of and its upstream systems. The main goal of this servers and endpoint devices through endpoint is to efficiently contain and recover from an detection and response (EDR) technologies. attack. F-Secure further recommends that organizations Regular incident response exercises should be adopt a threat hunting approach to detection conducted by financial institutions to ensure and ensure that threat hunters are familiar with that the policies and procedures in place payment systems, as well as all known attacks facilitate rapid response to an incident. This against SWIFT systems. This should include should include tabletop exercises to test these prioritization of the endpoints (including jump procedures, as well as full incident response hosts) that are used by privileged users, because run-throughs based on SWIFT systems. these are the endpoints most likely to be targeted by advanced threat actors during an attack. . F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 23
CONCLUSION
In the present day cyber threat landscape, However, it’s important to remember SWIFT’s SWIFT’s CSP recommends a number of effective A “point in time” approach to security will never
attacks on financial and SWIFT systems are still CSP is largely a compliance challenge, which hygiene measures and security controls, but the succeed against an adaptive and persistent threat.
a key focus of advanced persisted threat actors. by nature becomes somewhat of a rigid, linear specific focus on the SWIFT payment systems will The cyber threat landscape is always shifting, and
As Willie Sutton reportedly stated in 1952, when process. Compliance does not ensure or imply ultimately push attackers to target other parts of so, only by turning the proposed methodology
asked why he robbed banks, “that’s where the security, as security itself is a fluid, cyclical the organization. into a recurring practice can financial institutions
money is”. Huge quantities of money are for process, always adapting and changing. CSP and other organizations hope to secure themselves
the taking. And attackers have, and continue might be consistely updated to adapt to this, but As with most compromises, the root cause against future threats.
to become, considerably more sophisticated, it will still only ever focus on the security of SWIFT will frequently remain human error, whether
persistent, and resourceful. infrastructure alone. made by administrators in a configuration file,
developers in their application code, or employees
In some of the most high-profile attacks F-Secure has observed that attackers will shift their being deceived into opening a malicious
against financial institutions, threat actors have resources into targeting upstream systems and/or email attachment. For this reason, F-Secure
frequently deployed bespoke malware and the users who operate with/in them. Furthermore, recommends an approach that builds on top of
used advanced tactics to achieve their goal of we’ve documented opportunities in the wild SWIFT CSP compliance to further strengthen
performing fraudulent financial transactions. and researched new ways for suitably positioned the security posture of an institution as a
In response, SWIFT introduced the Customer attackers to successfully leverage such systems to whole. This methodology is rooted in establishing
Security Programme (CSP) and had consistently perform a successful attack. a strong understanding of how modern threat
revised and updated the Customer Security actors target financial institutions, mapping this
Controls Framework (CSCF) to help protect its understanding to the organization, and selecting
global SWIFT community from this aver adaptive appropriate prevention, detection, and response
threat. measures.
F-SECURE CONSULTING © 2021 ANALYSIS: ATTACKING AND DEFENDING SWIFT SYSTEMS 241We’re global. Get in touch wherever you are.
www.f-secure.com/consulting/contact
www.f-secure.com/consulting
© F-Secure Consulting 2021You can also read
