Threat Analysis: SWIFT Systems and the CSP

With 11,000 member institutions and peak traffic exceeding 30 million messages a day, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) and its messaging services are key components of modern banking. With the potential value of a successful attack drawing ever more sophisticated criminal groups (Carbanak) and well-resourced nation state threat actors (Lazarus Group), it has seen several attempted and successful attacks in recent years.

To help understand how attackers have exploited the SWIFT messaging system at various financial institutions MWR has analysed a number of key attacks spanning the past 5 years. This white paper analyses these individual attacks and identifies a number of common factors between them.


Common tactics of attacks analysed.

Analysis of these attacks found that the SWIFT network (SWIFTNet) itself was never compromised, and that it was the banks’ own local infrastructure which was used to form and issue fraudulent financial messages. To help meet this local challenge head on, a mandatory set of standards and controls have been enforced by SWIFT’s Customer Security Program (CSP), which effectively secures and isolates all member institutions’ local SWIFT assets from the wider enterprise network. Enforcing this standard raises the bar for attackers and negates a number of common tactics applied when targeting financial institutions with a lower security maturity.

 Compliance does not guarantee protection

However, even with these extensive security controls which effectively establish an isolated ‘secure zone’ (hardening local access to SWIFT systems), there are still a number of upstream systems which will not fall within the scope of CSP. In observing the long patience and persistence exercised throughout the attacks studied, it is likely that this level of security, would not prevent or deter a persistent attacker from targeting these systems, it would shift their attention into targeting the appropriate upstream systems/application which feed information into them.


SWIFT finance cyber attacks

 Full stack CSP attack.

The shifting nature of the current cyber-threat landscape, coupled with the ever-evolving nature of a financial institution’s attack surface, has shown that single “point in time” security measures will likely be overcome by an adaptive and persistent threat actor. Rather than purely meeting the standards for CSP compliance, member institutions need to analyse their individual landscapes and Predict, Prevent, Detect & Respond in all areas of risk, not focus their attention on a single subset of systems.

 To read our detailed analysis and guidance download the whitepaper.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.