With 11,000 member institutions and peak traffic exceeding 30 million messages a day, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) and its messaging services are key components of modern banking. With the potential value of a successful attack drawing ever more sophisticated criminal groups (Carbanak) and well-resourced nation state threat actors (Lazarus Group), it has seen several attempted and successful attacks in recent years.
To help understand how attackers have exploited the SWIFT messaging system at various financial institutions MWR has analysed a number of key attacks spanning the past 5 years. This white paper analyses these individual attacks and identifies a number of common factors between them.
Common tactics of attacks analysed.
Analysis of these attacks found that the SWIFT network (SWIFTNet) itself was never compromised, and that it was the banks’ own local infrastructure which was used to form and issue fraudulent financial messages. To help meet this local challenge head on, a mandatory set of standards and controls have been enforced by SWIFT’s Customer Security Program (CSP), which effectively secures and isolates all member institutions’ local SWIFT assets from the wider enterprise network. Enforcing this standard raises the bar for attackers and negates a number of common tactics applied when targeting financial institutions with a lower security maturity.
Compliance does not guarantee protection
However, even with these extensive security controls which effectively establish an isolated ‘secure zone’ (hardening local access to SWIFT systems), there are still a number of upstream systems which will not fall within the scope of CSP. In observing the long patience and persistence exercised throughout the attacks studied, it is likely that this level of security, would not prevent or deter a persistent attacker from targeting these systems, it would shift their attention into targeting the appropriate upstream systems/application which feed information into them.
Full stack CSP attack.
The shifting nature of the current cyber-threat landscape, coupled with the ever-evolving nature of a financial institution’s attack surface, has shown that single “point in time” security measures will likely be overcome by an adaptive and persistent threat actor. Rather than purely meeting the standards for CSP compliance, member institutions need to analyse their individual landscapes and Predict, Prevent, Detect & Respond in all areas of risk, not focus their attention on a single subset of systems.