An unnamed bank in Ukraine is the most recent victim in a series of cyber-attacks exploiting vulnerabilities in the international banking communications system. According to an independent IT monitoring organization, hackers stole approximately $10 million by breaking into the Ukrainian bank’s internal network and submitting fraudulent money orders via SWIFT, the messaging system responsible for carrying out money transfers between financial institutions worldwide.
The Ukrainian theft is similar to a February cyber-attack in which hackers managed to steal millions of dollars from the central bank of Bangladesh. In that attack, the cyber attackers used stolen operator credentials to submit 35 fraudulent SWIFT transfer requests totaling $951 million. Five of the requests passed, and the criminals made off with $81 million funneled through a web of offshore companies. In a statement, SWIFT said that “the attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyberattacks, or a combination of both.”
Banks in Ecuador and Vietnam also report similar cyber-attacks, suggesting that SWIFT-based threats to financial institutions may be on the rise.
News of the Ukrainian attack comes just weeks after the Federal Financial Institutions Examination Council (FFIEC) issued a statement reminding U.S. banks of the need to “actively manage the risks associated with interbank messaging and wholesale payment networks.” The FFIEC recommends that banks take the following multi-step approach to warding off SWIFT and other message-based attacks:Conduct ongoing information security risk assessments.
- Perform security monitoring, prevention, and risk mitigation.
- Protect against unauthorized access.
- Implement and test controls around critical systems regularly.
- Manage business continuity risk.
- Enhance information security awareness and training programs.
- Participate in industry information-sharing forums.
The FFIEC’s full statement is available here.