BANCO DE CHILE, VIRUS TO DISTRACT AND THEN STEAL 10 MILLION DOLLARS IN THE SWIFT NETWORK, MAY 24th

Banco de Chile #BancodeChile on May 24th suffered a virus that affected more than 9000 Pcs, distracting Bank staff in their solution and in parallel stole approx. US $ 10 Million in the internal SWIFT network. It is one of the largest incidents registered in our region. I recommend studying the case and replicating measures of the Bank as an activation of its contingency plan and now legal improvements by the government among other measures of the Superintendency of Banks #cybersecurity

Image for post
Image for post

The information indicated that while looking for the recovery of more than 9,000 PCs and +500 servers that could not re-start the operating system (see below a screen shot of a PC) with a problem on the hard drive with a variant of malware type #killdisk or #killMBR, in parallel the cyber-delicentes make transfers using the SWIFT network taking advantage of a zero-day vulnerability.

Personal conclusions from an external perspective, with unofficial sources:

  1. It has been an attack directed towards the Bank with malware towards the SWIFT network taking advantage of a zero-day vulnerability; take into account that the SWIFT network is old and if everything works well, it is not usually updated to the latest versions or you do not have this Patch Management process.
  2. As a distracting event, the Bank had to resolve the non-re-start of the more than 9000 PCs and servers, a completely unrelated independent event using a variant of the killMBR or Killdisk malware.
  3. After the Incident, it is necessary to find out how this Incident occurred, that is, to perform a forensic analysis. All the devices involved (Servers, Database, AS / 400, Firewalls, IPS / IDS) must have active logs / days / hours events. prior to the moment the incident occurred with correctly set date and time.
  4. Possibilities of the Intrusion, from outside I handle several possibilities like: Option 1: Hacking from the Internet to the Web server and then pivoted to the SWIFT system. Option 2: Send a valid email with a pdf / word (with sophisticated malware to the SWIFT network) using social engineering previously to know employee accounts. Option 3: Complicity with internal employees. Option 4 None of the above, for research.
  5. During the incident communications to customers, the Bank indicated that it activated its contingency plan, this is perhaps a basis that allowed the Bank to work in the face of an unknown attack and perform performance tests until the root cause was identified.
  6. The Bank needed to handle the crisis with a communication plan previously defined for communication with its customers in its different channels: branches, the bank’s website, social networks, IBR, mobile App, suppliers, government, etc.

This was exactly what the attackers were looking for, because the virus was only a distraction to steal the money from Banco de Chile, not from its clients. The final balance? The cyber attackers managed to steal about US $ 10 million from the entity linked to the Luksic Group and Citibank, for which they filed a criminal complaint in Hong Kong.

What is the malware called?:

The SWAPQ malware, “which is a zero-day virus, that is, has not attacked anywhere before. While there was the type of virus, it was a mutated virus. “

Hacking SWIFT Banking System:

The following graph shows that this type of incident has occurred in other banks, using SWIFT messages originating from banks from different countries and transferred to common destinations between 2013 and 2016, there we have a Bank of Ecuador from January 2015.

Image for post
Image for post

To identify which network is hacked, it would be useful to have a general diagram of a bank’s network and understand that it is a complex network to manage since we have different systems.

An example of exchanging SWIFT messages to transfer money between banks:

Image for post
Image for post

During the Incident, on social networks:

The first tweets of Thursday 24, showed some PCs with the problem during the start of the operating system, there was talk of more than 9,000 PCs:

Image for post
Image for post

From social networks, the message that would have to be communicated to customers was filtered:

Image for post
Image for post

At 11:30 local time, the official account tells customers to use the website and the mobile application:

Image for post
Image for post

The same May 24, some false mail was sent to customers, where they asked you to verify your information and provided a false link: https://www.BancodeChile.cl, in the bottom of the email.

Image for post
Image for post

On the day of the incident, the Bank makes an official statement where it already indicates that a fault that affected branches, a telephone bank, and that they have activated its contingency protocol designed to maintain the contingency of services has been detected:

Image for post
Image for post

The problems followed 1 day later:

Image for post
Image for post

Finally, The incident starts on May 24, resolving between May 27 and 28. The official communication of the Bank’s CEO of the robbery in the SWIFT network for 10 million dollars goes to the press on June 9.

On May 25, the SBIF (Superintendency of Banks and Financial Institutions) asks the Bank for a report to quantify the magnitude of the problem registered on the 24th

Image for post
Image for post

The final conclusion is that Cyber delinquents increasingly implement new malwares that take advantage of zero-day vulnerabilities with a high level of prior knowledge of a bank’s network to achieve a goal.

Therefore, our challenge is to investigate these new forms of attack that affect the critical services of our companies, monitoring, alerting the main vulnerabilities to apply controls that help to mitigate.

In this operation specialized technical personnel with knowledge in Malware, Forensic with Processes and Tools are needed to exchange experiences with other countries, for example between CSIRTS (Security Incident Response Center).

Written by

Blog de Ciberseguridad, Hacking, Recomendaciones de Protección y Buenas Practicas para las Empresas.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store