One of my recent gigs was result of SWIFT banking incident in Bangladesh, Just to put thighs right I'm not expert on the malware analyses, my knowledge is related only to few online papers about incident and chats with few law enforcement officers who were involved. My experience with SWIFT and banking is ancient one, last meddling was more than 10 years ago my last SWIFT system was installed on AIX machines.
Available resources in detail presents how attacked worked, high quality of attack code, results of investigations etc.. very much detailed from technical point. Since original incident same attack was also done in fer other places.
What surprised me horribly was fact that SWIFT subsystem was implemented on windows machine,
I'm really curious why and how something so critical was put on windows and what was reasoning for that. Decision to use windows OS and SWIFT looks like disaster from any angle I can think of. I really can't figure out what is a benefit of such solution. I really like to understand a) what was reason for SWIFT to create windows version and b) what was the reason for bank to use windows version of SWIFT.
The scenario which comes to my mind is very much like one been explained to my why major forensic software vendors does not have UNIX versions. It is like our customers want us to use windows platform because this is the only platform they can efficiently use ... Basically it boils down to cutting expenses what is as we know from history a common cause of any horrible disaster
The reasoning chain behind this is very common among no-IT industries, where people do not understand their own business process, its critical dependency on IT and related risks. I'm quite confident we will see a lot of trouble of that type in future especially with "intelligent" devices and IOT (Internet of Things) expansion.
27.7.2016
So how can we rationally explain using swift on windows ? When you chat with people it comes out that the most common technical expertise is based on windows OS and MS based OS are majority in medium business and enterprise, so it means a huge base of people and low expenses. In the other hand UNIX based expertise is scare and not easy to find, sometimes it is even worse UNIX based systems and expertise are lot more expensive. Using AIX machine for this purpose in completely windows based enterprise create small expensive island if you compare it only to production costs, but if you compare it to possible incident cost it is quite cheap. It is easy to prove, total breach was about 800 million dollars, while unrecoverd sum is about 80 millions, compared to 80 millions total costs of any AIX swift subsystem is invisible.
So we have here a rational chain of thought, decision based on available expertise, commonality of OS and not taking into account risks and its costs. Something to think about since this is not technical issues but organisational and managerial.
PS: I'm talking about AIX not because of IBM PR, but because my only SWIFT experience is with AIX. To be honest in my days I've seen few situations which were very deadly even for AIX/SWIFT combination but there was no breach.
1.8.2016
Very detailed report about bank interaction on Reuters site, worth of reading , The SWIFT hack How the New York Fed fumbled over the Bangladesh Bank cyber-heist
26.8.2016
I finally managed to chat about this story with friend and coleagues. Different postions and experiences from FIRST to banking regulatory.
1.9.2016
A new articles about new developments and new attacks.
When you think, for attacker it is best to have weak entry-point into system, like windows node, than to attack connection between bank and swift or bank IT. It is cheaper, since it is common point, in other hand each internal banking IT is a uniqe form of chaos ..
2.9.2016
From SANS newsbites
16.10.2016
Again From SANS newsbites, now everyone found that SWIFT systems are hackable
Available resources in detail presents how attacked worked, high quality of attack code, results of investigations etc.. very much detailed from technical point. Since original incident same attack was also done in fer other places.
What surprised me horribly was fact that SWIFT subsystem was implemented on windows machine,
I'm really curious why and how something so critical was put on windows and what was reasoning for that. Decision to use windows OS and SWIFT looks like disaster from any angle I can think of. I really can't figure out what is a benefit of such solution. I really like to understand a) what was reason for SWIFT to create windows version and b) what was the reason for bank to use windows version of SWIFT.
The scenario which comes to my mind is very much like one been explained to my why major forensic software vendors does not have UNIX versions. It is like our customers want us to use windows platform because this is the only platform they can efficiently use ... Basically it boils down to cutting expenses what is as we know from history a common cause of any horrible disaster
The reasoning chain behind this is very common among no-IT industries, where people do not understand their own business process, its critical dependency on IT and related risks. I'm quite confident we will see a lot of trouble of that type in future especially with "intelligent" devices and IOT (Internet of Things) expansion.
27.7.2016
So how can we rationally explain using swift on windows ? When you chat with people it comes out that the most common technical expertise is based on windows OS and MS based OS are majority in medium business and enterprise, so it means a huge base of people and low expenses. In the other hand UNIX based expertise is scare and not easy to find, sometimes it is even worse UNIX based systems and expertise are lot more expensive. Using AIX machine for this purpose in completely windows based enterprise create small expensive island if you compare it only to production costs, but if you compare it to possible incident cost it is quite cheap. It is easy to prove, total breach was about 800 million dollars, while unrecoverd sum is about 80 millions, compared to 80 millions total costs of any AIX swift subsystem is invisible.
So we have here a rational chain of thought, decision based on available expertise, commonality of OS and not taking into account risks and its costs. Something to think about since this is not technical issues but organisational and managerial.
PS: I'm talking about AIX not because of IBM PR, but because my only SWIFT experience is with AIX. To be honest in my days I've seen few situations which were very deadly even for AIX/SWIFT combination but there was no breach.
1.8.2016
Very detailed report about bank interaction on Reuters site, worth of reading , The SWIFT hack How the New York Fed fumbled over the Bangladesh Bank cyber-heist
26.8.2016
I finally managed to chat about this story with friend and coleagues. Different postions and experiences from FIRST to banking regulatory.
1.9.2016
A new articles about new developments and new attacks.
When you think, for attacker it is best to have weak entry-point into system, like windows node, than to attack connection between bank and swift or bank IT. It is cheaper, since it is common point, in other hand each internal banking IT is a uniqe form of chaos ..
2.9.2016
From SANS newsbites
SWIFT Warns Member Banks of More Attacks
(August 31, 2016)
In February 2016, attackers stole US $81 million from Bangladesh Bank. In a letter to its clients earlier this week, global financial messaging system SWIFT disclosed that there have been more attacks, some successful, against member banks and urged them to adopt strong security measures.
16.10.2016
Again From SANS newsbites, now everyone found that SWIFT systems are hackable
Odinaff Trojan Targets SWIFT System
(October 11, 2016)
Malware known as Odinaff is being used to target the SWIFT funds transfer system. Symantec says that roughly 100 organizations have been infected with Odinaff. The malware makes its way into systems by getting users to click on a malicious Microsoft office macro or password-protected RAR archive file.
Editor's Note
[William Hugh Murray]
Banks should use the indicators of compromise (IoCs) at https://www.symantec.com/
[William Hugh Murray]
Banks should use the indicators of compromise (IoCs) at https://www.symantec.com/
- http://www.computerworld.com
19.12.2016
There are more news about this story, looks like more incident happened and been "under-carpet-stored" interestingly not much fuss, Now it is normal that such "strong" organisation fails with huge flop.. Banks, governments.. ..
All this and yahoo breach story remembers me on old truth if you need action you must have a heap of dead bodies.
7.3.2018
New stories about swift bank attacks about some banks in Russia. It is on the Sans news bites. It show how a good investment pays off for a long time
19.12.2016
There are more news about this story, looks like more incident happened and been "under-carpet-stored" interestingly not much fuss, Now it is normal that such "strong" organisation fails with huge flop.. Banks, governments.. ..
All this and yahoo breach story remembers me on old truth if you need action you must have a heap of dead bodies.
7.3.2018
New stories about swift bank attacks about some banks in Russia. It is on the Sans news bites. It show how a good investment pays off for a long time
