Symantec has found evidence that a hacking group dubbed Odinaff has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The research firm said that a group as infected 10 to 20 Symantec customers with malware that can be used to hide fraudulent transfer requests made over SWIFT, the messaging system that is a lynchpin of the global financial system.
SWIFT Chief Executive Gottfried Leibbrandt last month told customers about three hacks and warned that cyber attacks on banks are poised to rise.
The hacking tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers' local SWIFT software environment. However, Symantec says it has no indication that SWIFT network was itself compromised.
These "suppressor" components are tiny executables written in C, which monitor certain folders for files that contain specific text strings. Among the strings seen by Symantec are references to dates and specific International Bank Account Numbers (IBANs).
Each executable appears to be tailored to for a target system. One of the files found along with the suppressor was a small disk wiper which overwrites the first 512 bytes of the hard drive. This area contains the Master Boot Record (MBR) which is required for the drive to be accessible without special tools. SYmnatec's researchers believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.
Symantec in May said it believed the a high-profile February attack on Bangladesh's central bank was carried out by a group known as Lazarus, which was also responsible for attacks on SWIFT customers in Southeast Asia as well as the 2014 hack of Sony Pictures Entertainment.
Symnatec said that the attacks involving Odinaff share some links to the Carbanak group, whose activities became public in late 2014. Carbanak also specializes in high value attacks against financial institutions and has been implicated in a string of attacks against banks in addition to point of sale (PoS) intrusions.
The discovery of Odinaff indicates that banks are at a growing risk of attack. Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks. They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them. When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.