Cyberattack Hits State Bank of Mauritius' India OperationsSome Observers Suspect Fraudulent SWIFT Transactions Involved
The East African institution State Bank of Mauritius says its India operations may have lost $14 million as a result of a cyberattack Tuesday. Although the bank did not confirm the exact nature of the attack, some security experts suspect it involved fraudulent transactions via the SWIFT global money-transfer network.
See Also: The Global State of Online Digital Trust
A gang of North Korean government hackers, known as APT38, has been waging a sophisticated hacking campaign against banks in Asia and Africa, resulting in the theft of more than $100 million via fraudulent transfers through SWIFT, according to U.S. cybersecurity firm FireEye (see: North Korean Hackers Tied to $100 Million in SWIFT Fraud).
Brussels-based SWIFT is a global, member-owned cooperative that provides secure financial messaging services used by more than 11,000 financial institutions in more than 200 countries and territories around the world. In February 2016, $81 million was stolen from the central bank of Bangladesh's account at the New York Federal Reserve via fraudulent SWIFT messages.
State Bank of Mauritius says it's conducting a comprehensive investigation.
"An internal inquiry has been initiated, and the matter reported to the relevant authorities for investigation," the bank said in a statement. "In addition, the Indian operations are carrying out a full cybersecurity review and, in parallel, recovery efforts are being pursued and are expected to lead to a significantly reduced figure."
This could be the second SWIFT-related attack in India this year. Earlier this year, India's City Union Bank had that it had blocked two of three fraudulent SWIFT transactions that potentially could have totaled nearly $2 million.
Prakash Kumar Ranjan, a security practitioner at a public sector bank in India, notes: "As a security practitioner I have limited control over the SWIFT infrastructure. The vulnerabilities can only be addressed properly when SWIFT highlights their security infrastructures to customers."
Some security practitioners speculate that the attackers might have taken advantage of security gaps at State Bank of Mauritius' India operations.
"This is especially true if unpatched or end-of-life switches or routers are used through which SWIFT messages' network traffic gets transmitted to other end of SWIFT network," says Rohan Vibhandik, a Pune-based cybersecurity researcher.
Hackers may have compromised the infrastructure used by bank with the aim to obtain credentials of operators that are authorized to initiate and approve monetary transactions in the SWIFT network, Vibhandik says. "Then the attackers might have used the fake identities with associated bank account numbers spread globally to receive the fraudulent remittance on behalf of people whose credentials have been unlawfully obtained," he says.
Lack of Audit
Risks could be better mitigated if banks conducted more thorough audits, some security experts contend.
"Banks don't check the processes that span across multiple stakeholders," says Rajesh Dangi, chief technical officer at NxtGen Infinite Datacenter, a cloud service provider.
Dangi also says attackers can target insiders, such as through phishing campaigns aimed at grabbing credentials, to gain access to systems. "Attackers are easily able to social engineer and get access to a system and then leave behind a backdoor which can be accessed as per their convenience," he says.
Security experts advise banks hit with SWIFT-related fraud to change all credentials associated with the employees or the SWIFT accounts that were used to initiate the fake transactions.
"Pinpoint the entry point used by the attackers and use a reverse threat hunting approach to zero down on the attack vector. Then patch it up to harden the security," Dangi says.
Ranjan advises banks to:
- Strictly comply to SWIFT CSP [Customer Security Program];
- Monitor and restrict privileged user access to critical infrastructure;
- Conduct periodic vulnerability assessments of the critical infrastructure;
- Disable direct message creation in the Swift messaging platform.