The document discusses the significance of swift cyber attacks, highlighting a major heist against Bangladesh Bank in February 2016, where attackers managed to siphon $81 million by compromising swift systems. It emphasizes the inadequacy of point measures in defending against such complex attacks and outlines immediate and long-term security measures that banks need to adopt to enhance cyber resilience. The need for understanding attack vectors and having a robust security strategy is stressed, particularly in the face of sophisticated and organized adversaries in the banking domain.

1. When thieves strike
Executive briefing on the
significance of SWIFT attacks
and countermeasures
Executive briefing.
September 2016

2. In February 2016, one of the largest online heists in history was reported by Bangladesh Bank. An
attempt had been made to siphon 951 million USD, with 81 million USD actually lost. The heist was
reported to have occurred by targeting SWIFT alliance systems. Subsequently, a number of banks across
the world have reportedly been targeted.
Attacks such as the one we saw on SWIFT systems are complex
and involve reconnaissance activity, development of custom code,
propagation to target and, finally, the actions. In the SWIFT attack,
we understand that the SWIFT alliance software was compromised
using a sophisticated malware,1
The biggest challenge with the SWIFT type of attacks is that most banks
are taking point measures to respond to these attacks. However, point
measures address only a specific attack vector while leaving multiple
lacunae unaddressed. Many banks have undertaken reviews of controls of
the SWIFT system, while some others are expecting certain anti-malware
technology to protect them from such attacks. Although these are good
measures, they are woefully inadequate. In order to develop suitable
countermeasures, one first needs to understand the subtleties of this
particular attack and what made it successful.
1
BAE Systems report: http://baesystemsai.blogspot.in/2016/04/two-bytes-to-951m.html
SWIFT is incidental!
Point measures are
inadequate to address
SWIFT type of attacks
in the long run.
Attackers have to cross
multiple levels of
security mechanisms for
a successful attack.

3. SWIFT systems make better attack vectors than other systems,
primarily due to their widespread use, well-known interface/message
formats and universal knowledge of fund transfer processes. This
knowledge makes the attack repeatable, and multiple banks can be
targeted using the same modus operandi. Repeatability of an attack
may be important when success rates are low. However, for a highly
targeted attack, such constraints may not apply. This basically implies
that every system within a bank which performs functions leading to
the transfer of funds or change accounting entries is a target.
However, looking at the broad spectrum of systems
in a bank which are similarly vulnerable, this
attack vector is not only incidental but also the last
leg in possibly a series of compromises. What we
need to realise about such attacks is that attackers
had to cross multiple levels of security mechanisms
to reach a system such as SWIFT. This means that
every weak link—whether a compromised laptop,
a third party, network, perimeter breach, failed
access control, or lost mobile computing device—is
an important stepping stone for the attacker.
We now know that quite detailed information
was available with the attackers in the case of the
Bangladesh Bank attack, including information
regarding interfaces, arrangements with NY Fed
Bank, and even printer make/model information.
Barring insider involvement, this is possible
only when previous breaches have led to data
exfiltration. Sometimes data as innocuous as the
printer make and model can make a difference to
the success of the attack.2
2
As per the BAE report, the SWIFT malware used information on
the specific printer model to prevent confirmation notifications from
SWIFT being printed and hence avoid detection by the bank’s team.
Sometimes data as
innocuous as the printer
make and model can
make a difference to the
success of the attack.

4. We believe there is no reason why such attacks will subside over time. If at all, it is a wake-up call to most
financial institutions on the types of threats which they need to be cognisant of. While we recommend
certain immediate steps which all banks need to take, it is the long-term solutions which can make
a difference to the cyber resilience of a bank. A few of the key aspects which banks need to address
immediately include:
Immediate measures:
1. Perform malware analysis of persistent and volatile memory of important systems to detect any malware.
2. Monitor memory, processes and command execution on critical systems. Whitelist known processes and flag off any
suspicious processes.
3. Review all controls pertinent to financial systems including, segregation, access and patch management.
Looking at comprehensive measures
Mid-term to long-term measures:
1. Strengthen the basic controls around network security, access management, data leakage,
etc. It will be prudent for most institutions to take a very conservative approach to data
sharing.
2. Create a capability to carry out real-time monitoring and analytics at the end point,
especially focusing on process creation, with command line arguments and executable
hash.
3. Start taking cognisance of the smaller breaches, malware infections, data exfiltration
and other attacks which the bank faces on a regular basis. Develop the security operation
centre’s ability to correlate this vast amount of information and distil intelligence through
pertinent use cases.
4. Enhance network monitoring controls, either through flow monitoring or full traffic
inspection. It is worthwhile to use market available threat feeds to detect C2 connections.
However, importantly, the bank will need to write its own use cases, or perform analysis to
detect targeted malware C2 connections.
5 Develop capabilities to detect and analyse unknown malware. Develop threat intelligence
in house. Develop capabilities to hunt malware.
6. Use baiting software such as PwC Flytrap to detect lateral movement of malware within
the systems.

5. The nature of the adversary has changed: He is now an expert in business and technology. The use of sophisticated attacks and
complex tools suggests a very well-funded and organised group with knowledge of the banking domain. The expertise exhibited in
erasing the money trail suggests prior experience in large-scale money laundering.
The adversary is patient, focused and willing to develop complex attacks. It is not possible to defeat such an adversary through
strategic moves and tactical measures. The primary tool of a security professional should be a threat model and security strategy which
describes the attack vectors and the preventive, detective and response mechanisms.
Finally, it is essential that banks address security both from a technical and business point of view. The security of business
processes, their confidentiality, third-party risks, access, etc., need to be balanced against a need for market agility and convenience.
Security is as strong as the weakest link.
Conclusions
It is not possible to
defeat an adversary
making strategic
moves with tactical
measures.

6. Data Classification: DC0
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information
contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the
information contained in this publication, and, to the extent permitted by law, PwC, its members, employees and agents accept no liability, and disclaim all responsibility, for the
consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
This publication contains certain examples extracted from third party documentation and so being out of context from the original third party documents; readers should bear
this in mind when reading the publication. The copyright in such third party material remains owned by the third parties concerned, and PwC expresses its appreciation to
these companies for having allowed it to include their information in this publication. For a more comprehensive view on each company’s communication, please read the entire
document from which the extracts have been taken. Please note that the inclusion of a company in this publication does not imply any endorsement of that company by PwC nor
any verification of the accuracy of the information contained in any of the examples.
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in
India), which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
ME/September2016-7440
Sivarama Krishnan
Leader, Cyber Security
+91 9650788787
sivarama.krishnan@in.pwc.com
Sangram Gayal
Director
+91 9819197716
sangram.gayal@in.pwc.com
For more information, contact: