Symantec warns of second group of hackers targeting SWIFT users

13 Oct 2016

A second hacking group was targeting banks by exploiting the Society for Worldwide Interbank Financial Telecommunication (SWIFT) money transfer system, after an $81-million heist by a group in February that used a similar approach.

The cyberattacks, which had been going on since January had been directed at companies in the US, Hong Kong, Australia and other countries, security firm Symantec said in a report.

According to the security firm's "rough guess" about 100 organisations had been hit so far, on the basis of 74 individual computer infections detected.

In order to cover up records of fraudulent transactions made over SWIFT, the hackers used malware, to prevent their victims from learning about the money theft.

According to Symantec the approach resembled the February heist at a Bangladesh bank that also involved hackers hiding evidence of their attack by tampering with the SWIFT system.

Some security experts say, the Bangladesh heist had been carried out by Lazarus Group, which had been linked to the North Korean government and the 2014 hack of Sony pictures (See: Hackers steal $101 mn of Bangla money from US Fed).

However, according to Symantec, the malware used in the newly-discovered attacks probably belonged to a separate cybercriminal gang known as Carbanak, which could have stolen over $1 billion from dozens of countries by facilitating large wire transfers.

Symantec said in a blog post, ''Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.

"Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013 – Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

"These attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.''