Finance / Cyber security experts spot second hacker group targeting Swift customers

Cyber security experts spot second hacker group targeting Swift customers

Another group of hackers is attacking Swift organisations, cyber security researchers at Symantec have warned.

The firm's experts detected the Odinaff malware, which is capable of deleting the financial messaging system's customer logs, on 20 companies' networks.

The variant has been used in attacks since January 2016, they said, often targeting financial organisations or computers running financial software applications.

The malware, which is often delivered via macros in a malicious Word document, provides a backdoor that enables the hackers to carry out more sophisticated attacks.

Once Odinaff is installed on a system, the cyber criminals are able to deploy other tools to explore their victims' networks and identify key computers.

"Symantec has found evidence that the Odinaff group has mounted attacks on Swift users, using malware to hide customers’ own records of Swift messages relating to fraudulent transactions," Symantec said in a blog post.

"The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local Swift software environment. We have no indication that Swift network was itself compromised."

To cover their tracks after an attack, the hackers were seen to wipe the infected hard drive’s master boost record, rendering it inaccessible without special tools.

Symantec said there were “no apparent links” between Odinaff’s attacks and the previous Swift-related malware attacks attributed to Lazarus.

However, it said they “share some links” to the Carbanak group, including three command and control IP addresses and the use of Backdoor.Batel.

“While it is possible that Odinaff is part of the wider organisation, the infrastructure crossover is atypical, meaning it could also be a similar or co-operating group,” it said.

The researchers said the discovery was another sign that cyber criminals are investing time to develop “a deep understanding” of banks’ internal financial systems.

“These attacks on Swift are like old-school bank robberies for a digital age,” said Kevin Bocek, chief cyber security strategist at Venafi, commenting on the discovery of the new campaign. “The hackers are taking money right from the bank’s safe.

“This is a shift from previous attacks that have been more focused on stealing from banking customers. After the success of the first Swift hack, it’s unsurprising to see the headlines doing the rounds again and I’d be shocked if this is the last we see of it.”

For more on Odinaff, see the Symantec blog.



Get our latest features in your inbox

Join our community of business leaders