top of page

Unveiling the £229 Million Cyber Heist: SWIFT Network Vulnerabilities and APT Group Tactics

CVE Image for report on CVE-2023-12345

Executive Summary

In a recent high-profile cyber heist, the London offices of Sumitomo Mitsui Banking Corporation were targeted by hackers in an attempt to steal £229 million (approximately $229 million). This attack primarily focused on the financial sector, with targeted accounts belonging to major Japanese corporations such as Toshiba, Nomura Asset Management, Mitsui OSK Lines, and Sumitomo Chemical. The attempted fund transfers were directed to accomplices in Spain, Singapore, Dubai, and Hong Kong. This report delves into the sophisticated methods employed by the attackers, the vulnerabilities they exploited, and the broader implications for the financial sector.

Technical Information

The heist was orchestrated through a series of calculated steps, beginning with insider assistance. A security supervisor at the bank facilitated the entry of two Belgian hackers into the bank's premises under the guise of a social visit. Once inside, the hackers installed keylogging spyware on the computers of bank employees. This spyware was instrumental in capturing sensitive login credentials, which were subsequently used to attempt unauthorized transfers of funds to accounts controlled by the attackers.

The attackers exploited several vulnerabilities, including weak physical security protocols that allowed them access to the bank's systems. The lack of network segmentation further enabled the attackers to install and operate spyware without immediate detection. Additionally, vulnerabilities in the SWIFT network were exploited, similar to other high-profile heists. The attackers used malware to manipulate SWIFT's client software, Alliance Access, to authorize fraudulent transactions.

Exploitation in the Wild

The specific usage of this vulnerability involved the installation of keylogging spyware, which captured usernames and passwords of bank employees. The attackers then used these credentials to initiate unauthorized fund transfers. Indicators of Compromise (IOCs) include unusual login patterns, unauthorized access attempts, and anomalies in transaction records.

APT Groups using this vulnerability

The attack shares similarities with other heists linked to North Korean APT groups, which are notorious for targeting financial institutions to fund state activities. Although not directly linked to this incident, the Hunters Ransomware Group has been active in targeting financial institutions, as evidenced by the ICBC London breach.

Affected Product Versions

The attack primarily affected systems connected to the SWIFT network, particularly those using the Alliance Access client software. It is crucial for institutions using this software to review their security measures and ensure they are up to date with the latest patches and configurations.

Workaround and Mitigation

To mitigate such threats, financial institutions should enhance physical security by implementing strict access controls and surveillance to prevent unauthorized entry into sensitive areas. Network security measures, such as deploying network segmentation and intrusion detection systems, are essential to identify and mitigate unauthorized activities. Adhering to SWIFT's recommended security measures, including layered authentication and regular audits of SWIFT-connected systems, is also critical.

References

  1. Graham Cluley, "Hackers smuggled into bank for £229 million heist, court hears," available at https://grahamcluley.com/hackers-smuggled-bank-229-million-heist-court-hears/.
  2. Chelsea Allison, "Anatomy of a bank heist," available at https://fin.plaid.com/articles/anatomy-of-a-bank-heist/.

Rescana is here for you

At Rescana, we are committed to helping our customers enhance their cybersecurity posture through our Continuous Threat and Exposure Management (CTEM) platform. We provide comprehensive solutions to identify vulnerabilities, assess risks, and implement effective security measures. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.

3 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page