In 2015 and 2016, a series of

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

s using the SWIFT banking network were reported, resulting in the successful theft of millions of dollars. The attacks were perpetrated by a hacker group known as APT 38 whose tactics, techniques and procedure overlap with the infamous

Lazarus Group Lazarus Group (also known by other monikers such as Guardians of Peace or Whois Team ) is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, resea ...

who are believed to be behind the Sony attacks. Experts agree that APT 38 was formed following the March 2013 sanctions and the first known operations connected to this group occurred in February 2014. If the attribution to North Korea is accurate, it would be the first known incident of a state actor using cyberattacks to steal funds. The attacks exploited vulnerabilities in the systems of member banks, allowing the attackers to gain control of the banks' legitimate SWIFT credentials. The thieves then used those credentials to send SWIFT funds transfer requests to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by the attackers.

First reports

The first public reports of these attacks came from thefts from

Bangladesh Bangladesh (}, ), officially the People's Republic of Bangladesh, is a country in South Asia. It is the eighth-most populous country in the world, with a population exceeding 165 million people in an area of . Bangladesh is among the mos ...

central bank and a bank in Vietnam. A $101 million theft from the

central bank via its account at the New York

Federal Reserve Bank A Federal Reserve Bank is a regional bank of the Federal Reserve System, the central banking system of the United States. There are twelve in total, one for each of the twelve Federal Reserve Districts that were created by the Federal Reserve A ...

was traced to cyber criminals exploiting software vulnerabilities in SWIFT's Alliance Access software, according to a ''New York Times'' report. It was not the first such attempt, the society acknowledged, and the security of the transfer system was undergoing new examination accordingly. Soon after the reports of the theft from the Bangladesh central bank, a second, apparently related, attack was reported to have occurred on a commercial bank in Vietnam. Both attacks involved

malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...

written to both issue unauthorized SWIFT messages and to conceal that the messages had been sent. After the malware sent the SWIFT messages that stole the funds, it deleted the database record of the transfers then took further steps to prevent confirmation messages from revealing the theft. In the Bangladeshi case, the confirmation messages would have appeared on a paper report; the malware altered the paper reports when they were sent to the printer. In the second case, the bank used a PDF report; the malware altered the PDF viewer to hide the transfers. Furthermore, news agency

Reuters Reuters ( ) is a news agency owned by Thomson Reuters Corporation. It employs around 2,500 journalists and 600 photojournalists in about 200 locations worldwide. Reuters is one of the largest news agencies in the world. The agency was estab ...

reported on 20 May 2016 that there had already been a similar case in Ecuador in early 2015 when Banco del Austro funds were transferred to bank accounts in

Hong Kong Hong Kong ( (US) or (UK); , ), officially the Hong Kong Special Administrative Region of the People's Republic of China ( abbr. Hong Kong SAR or HKSAR), is a city and special administrative region of China on the eastern Pearl River Delt ...

. Neither Banco del Austro nor

Wells Fargo Wells Fargo & Company is an American multinational financial services company with corporate headquarters in San Francisco, California; operational headquarters in Manhattan; and managerial offices throughout the United States and intern ...

, who were asked to conduct the transactions, initially reported the movements to SWIFT as suspicious; implications that the actions actually were a theft only emerged during a BDA lawsuit filed against Wells Fargo.

Expanded scope and suspicions of North Korea

After the initial two reports, two security firms reported that the attacks involved malware similar to that used in the 2014

Sony Pictures Entertainment hack On November 24, 2014, a hacker group identifying itself as "Guardians of Peace" leaked a release of confidential data from the film studio Sony Pictures Entertainment (SPE). The data included personal information about Sony Pictures employees ...

and impacted as many at 12 banks in Southeast Asia. Both attacks are attributed to a hacker group nicknamed

by researchers. Symantec has linked the group with

North Korea North Korea, officially the Democratic People's Republic of Korea (DPRK), is a country in East Asia. It constitutes the northern half of the Korea, Korean Peninsula and shares borders with China and Russia to the north, at the Yalu River, Y ...

. If North Korea's involvement is true, it would be the first known incident of a state actor using cyberattacks to steal funds.

Ramifications

International relations

If the attack did originate in North Korea, the thefts would have profound implications for international relations. It would be the first known instance of a state actor using cyber attacks to steal funds. The thefts may also have implications for the regime of international sanctions that aim to isolate North Korea's economy. The theft may represent a significant percentage of North Korea's current GDP.

SWIFT system

Trust in the SWIFT system has been an important element in

international banking A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans. Lending activities can be directly performed by the bank or indirectly through capital markets. Because ...

for decades. Banks consider SWIFT messages trustworthy, and can thus follow the transmitted instructions immediately. In addition, the thefts themselves can threaten the solvency of the member banks. "This is a big deal, and it gets to the heart of banking," said SWIFT's CEO, Gottfried Leibbrandt, who added, "Banks that are compromised like this can be put out of business." Following the attacks, SWIFT announced a new regime of mandatory controls required of all banks using the system. SWIFT will inspect member banks for compliance, and inform regulators and other banks of noncompliance. SWIFT officials have made repeated remarks that attacks on the system are expected to continue. In September 2016, SWIFT announced that three additional banks had been attacked. In two of the cases, the hackers succeeded in sending fraudulent SWIFT orders, but the receiving banks found them to be suspicious and discovered the fraud. According to SWIFT officials, in the third case, a patch to the SWIFT software allowed the attacked bank to detect the hackers before messages were sent.

References