Second group of hackers found also targeting SWIFT users

Symantec guesses that hackers have hit about 100 organizations

A second hacking group is also trying to rob banks by exploiting the SWIFT money transfer system, following a US$81 million heist in February that used a similar approach.

The cyberattacks have been going on since January and have been targeting companies in the U.S., Hong Kong, Australia, and other countries, according to a Tuesday report from security firm Symantec.

A "rough guess" is that about 100 organizations have been hit so far, based on the 74 individual computer infections detected, the security firm added.

As part of their attacks, the hackers used malware to cover up records of fraudulent transactions made over SWIFT, preventing their victims from learning about the money theft.

Symantec said this approach bears a resemblance to the February heist at a Bangladesh bank that also involved hackers hiding evidence of their attack by tampering with the SWIFT system.

Some security experts have blamed the Bangladesh heist on the Lazarus Group, which has been linked to the North Korean government and the infamous 2014 hack of Sony pictures. However, Symantec said the malware used in these newly uncovered attacks probably belong to a separate cybercriminal gang known as Carbanak, which is believed to have stolen over $1 billion from dozens of countries by facilitating large wire transfers.  

"This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns," Symantec said. This includes the use of IP addresses found in previous Carbanak-related attacks.

To target their victims, the hackers distributed Microsoft Word documents and RAR archives -- likely through email phishing -- that can secretly install a Trojan onto a target computer. That Trojan can then load other hacking tools built to recover passwords and execute programs.

The hackers were targeting financial organizations in the banking, securities, trading, and payroll sectors, but they also attacked a small number groups related to the government, healthcare, and legal industries. 

"Although difficult to perform, these kinds of attacks on banks can be highly lucrative," Symantec said. "Estimates of total losses to Carbanak-linked attacks range from tens of millions to hundreds of millions of dollars."

On Tuesday, SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, said it's aware of the details in Symantec's report. In August, it warned customers about ongoing attacks and has been publishing details on how to prevent them.  

Join the CSO newsletter!

Error: Please check your email address.

More about MicrosoftSonySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Kan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place