Investigators are examining possible computer breaches at as many as 12 banks linked to Swift’s global payments network that have irregularities similar to those in the theft of $81 million from the Bangladesh central bank, according to a person familiar with the probe.
FireEye, the security firm hired by the Bangladesh bank, has been contacted by the other banks, most of which are in Southeast Asia, because of signs that hackers may have breached their networks, the person said. They include banks in the Philippines and New Zealand but not in Western Europe or the United States. There is no indication of whether money was taken.
The expansion of the investigation four months after the discovery of the Bangladesh attack, the biggest known cyber-heist in history, suggests a broad and serious campaign to breach the international financial system.
FireEye declined to comment on the report.
“The emergence of new possible instances of compromise is not entirely surprising given that banks should now be undertaking rigorous reviews of their environments,” Swift said in a written statement. “Many may turn out to be false positives and or have nothing to do with Swift messages, but it is key that these reviews take place and banks’ environments are secured.”
The Brussels-based interbank cooperative, whose full name is the Society for Worldwide Interbank Financial Telecommunication, has warned that there may have been more breaches than the three already publicly identified, including those in Vietnam and Ecuador.
Exclusive insights on technology around the world.
Get Fully Charged, from Bloomberg Technology.
Swift has come under increasing pressure from its bank customers to ratchet up its security measures in order to prevent future cyber robberies. Swift has relied on the trust within its network -- if you receive a Swift message, you can be sure it is legitimate and move the money as instructed immediately -- to cement its effective dominance of the international payments system over the past four decades. If that trust erodes, it calls into doubt the foundation upon which the cooperative is built.
Symantec, the Mountain View-based security company, said Thursday that it had independent evidence that a Philippine bank was attacked by the same group of hackers involved in the Bangladesh breach. The company said it reached that conclusion after examining hacking tools used in the two attacks.
Similar to research released this month by defense contractor BAE Systems, Symantec said in its blog post that the tools suggest a link between those attacks and the breach of Sony Pictures’ network in 2014, which U.S. officials blame on North Korea.
Experts say the shared code doesn’t necessarily mean the financial sector attacks were ordered by the North Korean government, which is a much harder link to establish. A FireEye report on the Bangladesh attack provided earlier this month to bank officials didn’t attribute the heist to North Korea, according to a person familiar with that document.
Hackers may have targeted even more banks, Swift’s CEO, Gottfried Leibbrandt, said this week in a speech outlining plans to improve network and client defenses. He didn’t provide any details about which banks may have been targeted or whether their defenses had been breached.
“This is a big deal, and it gets to the heart of banking,” he said in the speech, adding: “Banks that are compromised like this can be put out of business.”
In the Bangladesh case, the Federal Reserve Bank of New York was tricked by fake Swift messages into wiring money it held for the impoverished country to hacker-controlled accounts in the Philippines. The Fed’s systems halted an additional $850 million the attackers tried to have transferred.
Hackers also stole $12 million from an Ecuadorean bank in January 2015, according to documents filed a lawsuit by Banco del Austro against Wells Fargo, its U.S. correspondent bank. They also tried to move about $1.2 million in an attack late last year on a Vietnamese lender that was foiled, the lender told its regulators.
While Swift has for decades made sure its own network was secured, less attention was paid to the security surrounding how member banks -- each with their own codes and levels of technology sophistication -- were connecting.
Banks in the U.K. and the U.S. are now pushing for discussions with Swift about how it should help member banks better secure their systems, according to people familiar with the separate talks.
BITS, the section of the Financial Services Roundtable aimed at combating cyber fraud and other technological issues, could be selected to broker those discussions in the U.S., one person said. In the U.K., banks are privately lobbying the Bank of England and possibly the British Bankers’ Association to press Swift into adopting new security measures, another person said.
Swift, which connects 11,000 financial institutions that send about 25 million messages a day, will try to increase information sharing among clients, raise security requirements for the software clients use and help clients conduct security audits, Leibbrandt said in his speech. Swift will also introduce certification requirements for vendors that help some banks connect to the network, and it may help banks use pattern recognition to identify suspicious behavior, he said.