The SWIFT messaging network is used by banks to transmit instructions for money transfers around the world.
But hackers utilized the network to steal $81 million from Bangladesh's central bank in February. Now, SWIFT (an acronym for Society of Worldwide Interbank Financial Telecommunication) says a second bank was attacked.
Forensic experts said the latest security breach is evidence that they're facing "a wider and highly adaptive campaign targeting banks," according to a statement from SWIFT.
In a new report, the U.K.-based defense contractor BAE Systems said the code used in this recent attack — which they say hit a Vietnamese bank — bears strong links to the code used in a series of attacks including the Sony Pictures Entertainment breach in late 2014. BAE concluded it is likely the same coder behind the latest attack and "a wider known campaign stretching back almost a decade."
BAE Systems added:
"Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone. However, this adds a significant lead to the investigation."
The SWIFT messaging system is described by Reuters as the "linchpin of the global financial system." According to the Financial Times, it processes 25 million messages daily "for billions of dollars' worth of transfers" worldwide.
Brussels-based SWIFT did not identify the latest target. In a statement, SWIFT said the attack bears similarities to the Bangladesh heist:
"In both instances, the attackers have exploited vulnerabilities in banks funds' transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims' ability to recognise the fraud."
It added that the hackers showed "a deep and sophisticated knowledge of specific operational controls within the targeted banks" — which may have been "gained from malicious insiders or cyber attacks, or a combination of both."
As The New York Times reported, banks routinely face cyberattacks by thieves. However:
"[T]hese attacks involving Swift stand out, because millions of dollars were stolen — not from a large number of customers, but from the banks themselves. It is as if the thieves used their hacking skills to reach inside a bank vault.
"Emboldened and enriched, the thieves are likely to strike again, security experts predict."
According to the statement from SWIFT, the attackers deployed malware to target a PDF reader that customers use to check their bank statements. The apparent purpose of the malware was to hide evidence of the hackers' presence. It did not specify how much money, if any, was taken. It only impacted the targeted institution, and not the SWIFT network generally, the statement added.
During the February attack, the hackers stole $81 million from the Bangladesh Central Bank account at the New York Federal Reserve. NPR's Jim Zarroli reported that the attackers "then transferred the money to an account in the Philippines" and that "part of that transfer was blocked by the Fed but not all."
Months later, the Bangladesh Bank network remains insecure with three hacking groups maintaining a presence in the bank's network, Reuters reported.