The head of the network that connects the world’s banks has issued a warning: Hackers will strike again, and they could bring down a bank.
The message from SWIFT CEO Gottfried Leibbrandt follows cyberattacks on banks in Bangladesh, Vietnam and Ecuador in which similar methods were used to circumvent local security systems.
The attack on Bangladesh’s central bank yielded $101 million, while Ecuadorian bank Banco del Austro was hit for $12 million.
Leibbrandt suggested in a speech on Tuesday that other attacks may have gone unreported.
“The Bangladesh fraud is not an isolated incident: we are aware of at least two, but possibly more, other cases where fraudsters used the same modus operandi, albeit without the spectacular amounts,” he said.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, has already warned customers that the attacks appear to be “part of a wider and highly adaptive campaign.”
In each case, the criminals followed the same basic pattern:
Attackers used malware to circumvent a bank’s local security systems.
They gained access to the SWIFT messaging network.
Fraudulent messages were sent via SWIFT to initiate cash transfers from accounts at larger banks.
Leibbrandt said the method is much more serious than a typical data breach or theft of customer information. Instead, the loss of control over payment channels could bring down a bank.
“In the recent cases, thieves were able to move just some of those banks’ overseas assets,” he said. “As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been.”
The attacks underscore the vulnerability of smaller banks that can’t afford cutting-edge defenses. If hackers are able to break into a weaker bank, they can fabricate transfer requests in order to pull money out of a bigger bank.
In the case of Bangladesh Bank, hackers used the tactic to transfer money out of its accounts at the New York Fed. Investigators have yet to publicly identify any suspects in the case. Banco del Austro’s funds were being held in accounts at Wells Fargo.
SWIFT is taking additional measures to secure client banks, including sharing more information, supporting security audits and introducing tougher requirements for local bank computer networks, Leibbrandt said.
SWIFT’s network and core messaging services have not been compromised by the attacks, he added.
Leibbrandt said the attack on Bangladesh Bank was a “watershed” moment that means the industry must “work even harder at our collective defensive efforts.”
“The financial industry, as a community, has to be clear that cyber risk is big; there will be more cyber attacks. And inevitably some will be successful,” he said.