If three makes a trend, then it’s official: The global banking system is under attack.
The methods used by hackers to attack banks in Vietnam and Bangladesh appear to have been deployed over a year ago in a heist in Ecuador.
The January 2015 attack on Banco del Austro is described in a lawsuit filed by the bank in a New York federal court. It ended with thieves transferring $12 million to accounts in Hong Kong, Dubai, New York and Los Angeles, according to court documents.
The existence of the lawsuit was first reported Friday by the Wall Street Journal, just one week after global banking communications network SWIFT instructed clients to secure their local computer networks.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, warned customers that two previous attacks against banks in Bangladesh and Vietnam appeared to be “part of a wider and highly adaptive campaign.”
The hacks targeting banks in Asia follow the pattern described by Banco del Austro:
Attackers used malware to circumvent a bank’s local security systems.
They gained access to the SWIFT messaging network.
Fraudulent messages were sent via SWIFT to initiate cash transfers from accounts at larger banks.
The attacks underscore the vulnerability of smaller banks that can’t afford cutting-edge defenses. If hackers are able to break into a weaker bank, they can fabricate transfer requests in order to pull money out of a bigger bank.
“Unfortunately, this risk with SWIFT is nothing new, as technology has evolved, and hackers have gotten more sophisticated,” lawyers for Banco del Austro said in a March 31 court filing.
A SWIFT spokeswoman said Friday that the network had not been made aware of the Banco del Austro incident.
“We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community,” Natasha de Teran said. “We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us.”
SWIFT said last week that its network and core messaging services have not been compromised by the attacks.
In the case of Bangladesh Bank, hackers used the tactic to transfer money out of its accounts at the New York Fed. Investigators have yet to publicly identify any suspects in the case.
Banco del Austro’s funds were being held in accounts at Wells Fargo. The lawsuit filed by the Ecuadorian bank accuses Wells Fargo of failing to recognize and stop the fraudulent transfers.
Wells Fargo rejected those claims.
“Wells Fargo properly processed the wire instructions received via authenticated SWIFT messages and Wells Fargo’s computer systems were not compromised in any way,” a spokeswoman said.
“Wells Fargo is not responsible for the losses suffered by Banco del Austro and intends to vigorously defend the lawsuit.”
— Jose Pagliery contributed reporting.