Advanced SOC Operations / CSOC , Fraud Management & Cybercrime , Governance & Risk Management
Attack Against Indian Bank Closely Resembled Bangladesh Bank Hack
How Union Bank Foiled Attempted $170 Million HeistThere's a strong resemblance between the heist at Bangladesh's central bank in February 2016 and a foiled cyber-theft at Union Bank of India in July 2016, the Wall Street Journal has reported. And that raises the possibility that both attacks were the handiwork of the same attackers, and commissioned by the government of North Korea.
Notably, both cases appeared to involve the use of specific tactics and technology - including malware - in an attempt to send fraudulent messages via the SWIFT inter-bank messaging system.
See Also: 5 Requirements to Stay Afloat in the SIEM Storm
Investigators studying the hack at the state-owned Indian bank tell the Wall Street Journal that tactics and coding similar to the Bangladesh heist were used. Details shared with the newspaper by the chairman and managing director at Union Bank of India, Arun Tiwari, about how this attempt to steal $170 million was detected and thwarted, further bolsters this theory.
The attack in February 2016 against Bangladesh Bank, which targeted its account at the Federal Reserve Bank of New York, involved sending fraudulent messages via the SWIFT interbank messaging system, backed by custom-built malware that infected the bank's systems and hid evidence of the attacks.
Four months later, Union Bank of India was attacked in a similar manner. UBI told Reuters in July 2016 that a breach of one of its nostro accounts had been quickly detected, and that attackers' attempts to fraudulently transfer funds from the New York nostro to private accounts in five locations had been foiled. Nostro accounts refer to accounts that banks hold in a foreign currency in another bank, typically located abroad. They are widely used to facilitate foreign exchange and trade transactions.
UBI did not respond to Information Security Media Group's request for comment on the latest reports.
Experts Had Noted Similarity
In August 2016, ISMG also reported on the alleged similarity between the Bangladesh Bank theft and the UBI case (see: Interbank Payments: Attackers' New Target).
Multiple financial sector security experts also speculated that the breach of UBI's nostro account, believed to be held at Citigroup in New York, may have involved the same attackers who compromised the Bangladesh Central Banks's SWIFT systems.
"It's entirely possible" that the same attackers were involved in the two attacks, financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, told ISMG. "There is definitely a criminal group that well understands the intricacies and detailed processes of SWIFT and foreign exchange transactions, and it's entirely plausible that this knowledge enabled the criminals to breach Union Bank's India nostro account," she said.
A series of subsequent bank heists or attempted heists also affected Vietnam's TPBank and Banco del Austro in Ecuador, as well as banks in Ukraine. Those attacks used malware, disguised as a PDF reader, to help hide attackers' fraudulent SWIFT transfers, although it's not clear if the attacks were the work of a single group (see: 5 SWIFT Cyber Heist Investigations).
But the U.S. Department of Justice and independent information security experts have attributed at least one of the attacks to attackers affiliated with the North Korean government (see: Is Bank Malware Campaign Linked to North Korea?).
At least for the UBI case, however, there may be an insider angle, because interbank transactions involving nostro accounts require multifactor authentication, which means credentials for at least one person with administrative or transaction-approval power had to be compromised. The Bangladesh heist probe has also suggested that one or more insiders may have been involved, perhaps unknowingly (see: Bangladesh Bank Heist Probe Finds 'Negligent' Insiders).
In the case of the UBI attacks, "it's possible the attackers obtained credentials through insiders or by hacking the PC having such credentials ... then submitted fraudulent messages by impersonating them," says Sivakumar Krishnan, former head of IT at Mumbai-based financial services firm M Power Micro Finance.
UBI Attack Thwarted
Tiwari, who heads Union Bank of India, told the Wall Street Journal that the attack began in late July last year when an employee opened an attachment on an email that appeared to have come from India's central bank, activating a piece of malware that allowed the hackers to steal UBI's SWIFT access codes.
The hackers are then believed to have leveraged the stolen codes to forge instructions to Union Bank's nostro account at Citigroup in New York, ordering around $170 million to be sent to accounts in Thailand, Cambodia, Australia, Hong Kong and Taiwan. The money was transferred to several shell companies associated with Asian - in particular Chinese - organized crime syndicates, according to a source cited by the newspaper.
For every SWIFT transaction, two reports are usually generated and sent to both banking parties - in this case UBI and Citibank in New York. That way, both the originating and correspondent bank receive confirmation of the trade, and then the correspondent bank can forward this SWIFT message to the originating bank the next day to cross-check the transaction (see: Inside Look at SWIFT-Related Bank Attacks).
Last year, security experts in India told ISMG that Citigroup - not UBI - flagged the request for a transfer from the nostro account as being suspicious and immediately notified UBI. But Tiwari told the Wall Street Journal that on July 21, 2016, UBI's own treasury department discovered that six transactions Union Bank hadn't intended to authorize had been executed, and that the bank raised the red flag. Tiwari says the bank immediately started the process to recover the funds, working closely with SWIFT officials.
After the attempted cyber-fraud was detected July 21, the transactions were rolled back and funds fully recovered within three days - by July 24, Tiwari said.
Multiple firms hired to investigate the attack noted that it used tools and tactics that had been seen in the Bangladesh Bank hack, Tiwari said. He noted that Citigroup's cybersecurity team observed similarities in how the malware behaved between the UBI attack and that of the Bangladesh Bank attack. Audit and business consulting firm Ernst & Young - hired by UBI after the attack - also concluded it had been executed similarly to the attack on the Bangladesh central bank, he said.
In both cases, the ingress point for the malware was through employee email, which then disabled the automatic transaction logs and took control of SWIFT functionality (see: Hackers Target SWIFT-Using Banks With Odinaff Malware).
In the days following the hack coming to light, Indian security experts praised UBI for successfully recovering the funds and speaking publically regarding the incident - public breach notification in the Indian banking space remains unusual. Some critics also allege that too many Indian banks fail to have robust cyberattack defenses in place - that an undue focus on compliance means Indian banks may not be taking a resilient stance against cyberattacks. However, RBI's recent breach reporting mandate may drive more banks to act (see: RBI: Banks Must Report Breach Incidents Within 6 Hours).
Krishnan, formerly with M Power Micro Finance, believes CISOs need to focus more attention on educating IT teams about how to properly protect identities and proactively respond to threats. "Most organizations fail to train them in handling phishing communications, use of passwords and password policy, as well as implementation of single sign-on with multifactor authentication."
Not coincidentally, all of those security strategies have been cited by SWIFT as being essential for defending against the types of attacks that have targeted UBI, Bangladesh Bank, and an unknown number of other banks.