An unnamed bank in Ukraine is the most recent victim in a series of cyber-attacks exploiting vulnerabilities in the international banking communications system. According to an independent IT monitoring organization, hackers stole approximately $10 million by breaking into the Ukrainian bank’s internal network and submitting fraudulent money orders via SWIFT, the messaging system responsible for carrying out money transfers between financial institutions worldwide.

The Ukrainian theft is similar to a February cyber-attack in which hackers managed to steal millions of dollars from the central bank of Bangladesh. In that attack, the cyber attackers used stolen operator credentials to submit 35 fraudulent SWIFT transfer requests totaling $951 million. Five of the requests passed, and the criminals made off with $81 million funneled through a web of offshore companies. In a statement, SWIFT said that “the attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both.”

Banks in Ecuador and Vietnam also report similar cyber-attacks, suggesting that SWIFT-based threats to financial institutions may be on the rise.

News of the Ukrainian attack comes just weeks after the Federal Financial Institutions Examination Council (FFIEC) issued a statement reminding U.S. banks of the need to “actively manage the risks associated with interbank messaging and wholesale payment networks.” The FFIEC recommends that banks take the following multi-step approach to warding off SWIFT and other message-based attacks:Conduct ongoing information security risk assessments.

  • Perform security monitoring, prevention, and risk mitigation.
  • Protect against unauthorized access.
  • Implement and test controls around critical systems regularly.
  • Manage business continuity risk.
  • Enhance information security awareness and training programs.
  • Participate in industry information-sharing forums.

The FFIEC’s full statement is available here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Norman Roos Norman Roos

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions…

Norman Roos, a member of Robinson+Cole’s Business Transactions Group, concentrates his practice on transactional, regulatory, and technology matters relating to the financial services and real estate industries. He is also a member of the firm’s Financial Services Cyber-Compliance Team and advises financial institutions concerning data privacy and security matters, particularly in relation to policy planning and implementation.

Mr. Roos is counsel to the Connecticut Mortgage Bankers Association, Inc., and is president-elect of the American College of Mortgage Attorneys where he has served on the Board of Regents and as Connecticut State Chair. A member of the Connecticut Bar Association, Mr. Roos is Past Chair of the Financial Institutions Law Section. He has served on a number of Connecticut Law Revision Study Committees including those on Uniform Common Interest Ownership Act, Electronic Communications, Mortgagor Liability, and Electronic Recording of Land Records. Read his full bio here.

Photo of Scott Baird Scott Baird

Scott M. Baird is an associate in the firm’s Business Transactions and Finance Groups, where his practice involves all aspects of corporate and securities law, including corporate governance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and securities…

Scott M. Baird is an associate in the firm’s Business Transactions and Finance Groups, where his practice involves all aspects of corporate and securities law, including corporate governance, mergers and acquisitions, private equity and venture capital transactions, joint ventures, finance transactions, and securities law and compliance. He focuses on new legislation as well as regulatory and compliance matters involving financial service institutions. Read his full rc.com bio.