Banks on edge after spate of spectacular cyber heists

A series of spectacular cyber attacks against banks, resulting in the theft of tens of millions of dollars, has heightened fears for an industry becoming an increasingly attractive target for hackers.

Banks in Bangladesh, the Philippines, Vietnam and Ecuador have been targeted over the past year in the attacks on the global interbank service known as SWIFT, and some analysts expect more attacks to be revealed.

After the US$81 million heist from Bangladesh’s central bank became public in May, SWIFT said the incident was “not a single occurrence, but part of a wider and highly adaptive campaign targeting banks”.

Since then, officials said banks have also been hit in the Philippines and Vietnam.

Meanwhile Ecuador’s Banco del Austro claimed in a lawsuit that hackers made off with more than US$9 million through fraudulent SWIFT transfer requests.

Cybersecurity specialists say these attacks are probably just the tip of the iceberg.

“Cybercriminals are no longer targeting grandmothers at home for small amounts, but going directly where the money is,” said Juan Andres Guerrero-Saade, a researcher with the security firm Kaspersky.

Guerrero-Saade said it’s not clear where the attacks are coming from, but that the hackers are using techniques similar to those developed for cyberespionage.

“I don’t think this implies it’s nation-states, it’s more of an evolution,” the analyst said. “It’s criminal actors taking on some of those techniques.”

Kaspersky researchers last year uncovered a hacker group which targeted banks in Eastern Europe, estimating combined losses of up to US$1 billion.

Dan Guido, co-founder of the security firm Trail of Bits and hacker-in-residence at New York University’s engineering school, said the recent security breaches are not surprising.

“I didn’t think it would take this long,” Guido said.

“There are a large number of attacks like this possible if someone has the resources to do it.”

Guido said a relatively small team of determined hackers could carry out the kind of hacks that went through SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, a Brussels-based network which is used by more than 11,000 financial institutions in 200 countries.

The blame, Guido said, rests squarely with SWIFT for failing to bolster its software or require more secure hardware.

“It’s clearly within their control to have prevented incidents like this,” Guido said.

“They could have had more aggressive security requirements, they could have had protective hardware.”

On July 11, SWIFT announced it had hired cybersecurity firms BAE Systems and Fox-IT, while creating its own security team in an effort to thwart attacks.

Data breaches in the past affected some tens of millions of JPMorgan Chase customers, and accounts from financial giant Morgan Stanley. A US congressional report in June found “major data breaches” at the Federal Deposit Insurance Corporation.

Christiaan Beek of Intel’s McAfee Labs said the hackers that targeted SWIFT were well organised and resourceful.

“We can see that the attackers have done their reconnaissance properly and may have used an insider to get the details they needed to prepare their attack,” Beek said. “The attackers have a very good understanding of the SWIFT messaging system and how to manipulate the system to prevent ... detection.”

Guido said US banks could face similar attacks. “I don’t see why it can’t happen here [in] smaller banks that don’t have expertise and guidance to protect their interconnections.”