Bangladesh Bank Hackers Used Malware on SWIFT Software

Tabletop Exercises with LIFARS Incident Response Team

Brussels-based SWIFT (Society for Worldwide Interbank Financial Telecommunication), a cooperative at the center of the global financial system and owned by some 3,000 financial institutions and banks around the world may have been hacked during the Bangladesh Central bank’s NY Fed Reserve heist, according to a new report.

Significant new details have emerged from the investigations following the Bangladesh Central Bank cyber heist which saw hackers steal $81 million from the bank’s federal reserve account.

A spokeswoman for SWIFT, Natasha Deteran confirmed that the platform was aware of malware that had targeted its client software.

Speaking to Reuters, Deteran stated that SWIFT would be releasing an update for its client software while assisting “customers in enhancing their security and to spot inconsistencies in their local database records.” She also claimed that the malware had zero impact on SWIFT’s network or core messaging services.

New evidence from British defense firm BAE Systems point to the Alliance Access server software, the program used by banks to interface with SWIFT’s messaging platform. The hackers seemingly manipulated the software in order to cover their tracks of their fraudulent transfers that were ordered by the attackers.

The malware, named evtdiag.exe, is an executable file designed to hide the attackers’ activity by changing the logs on a SWIFT database at Bangladesh Bank that tracks information about transfer requests.

Related read: Bangladesh Bank: Hackers Tried to Steal $951 Million from US Fed Account

BAE researchers determined that the executable malware is potentially one component of a wider toolkit installed by the hackers after obtaining administrator credentials. Also, researchers speculate that the malware was developed and compiled close to the date of the heist with detailed information about the bank’s operations that was uploaded from Bangladesh.

Although the malware was written by its authors to target Bangladesh Bank specifically, the techniques, procedures and the general tools employed could allow the gang to strike again, the investigative report revealed.

To this day, the investigative findings from SWIFT and BAE do not reveal how the fraudulent orders for wire transfers were developed, pushed through and sanctioned in the first place.

Adrian Nish, BAE’s head of threat intelligence underlined the elaborate scheme from the hackers masterminding the heist:

I can’t think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in.

“I guess it was the realization that the potential payoff made that effort worthwhile,” he added.