The criminals who stole $101 million from Bangladesh’s central bank could strike again, security experts warned Monday.
They urged global banks to tighten their defenses after discovering malware that helped hackers cover their tracks in February’s huge heist.
The malware, identified by researchers at British defense contractor BAE Systems(BAESY), helped attackers target the SWIFT payment software used by Bangladesh’s central bank, and then steal money from its account at the New York Fed.
“The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills,” BAE researchers said in a blog post Monday.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, runs a communications network that underpins much of the global financial system.
Alliance Access is a messaging system that allows banks to connect to SWIFT. It is used at more than 2,000 installations around the world.
SWIFT said Monday that its network and core messaging services had not been compromised.
The malware helps explain, however, how criminals were able to execute five transfers from the central bank’s account at the New York Fed. The requests looked real: They appeared to come from a Bangladesh server, and the thieves supplied the correct bank codes to authenticate the transfers.
Most of the stolen funds ended up in accounts located in the Philippines, while roughly $20 million, which has since been recovered, went to Sri Lanka. The robbers tried to steal $850 million more, but the requests were denied.
BAE’s experts said that once the malware infiltrated the Bangladesh Bank’s computer system, it allowed the perpetrators to conceal transactions, and even prevent confirmation messages from being printed.
They said all financial institutions who run SWIFT software should “be seriously reviewing their security now to make sure they too are not exposed.”
“This malware was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again,” they said.
SWIFT said it had “developed a facility” to help its customers enhance their security and spot inconsistencies in their records.
“The key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems … against such potential security threats,” SWIFT said in a statement.