SWIFT has issued its first-ever information security guidance to banks, telling them to get their act together.
The guidance was issued as finger-pointing has intensified over who's responsible for the failures that led to the theft of $81 million from the Bangladesh central bank's New York Federal Reserve account in February.
Bangladeshi police have publicly blamed Brussels-based SWIFT, a bank-owned cooperative founded in 1973, for introducing vulnerabilities into its IT infrastructure that attackers later exploited. But SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, says in a statement that those are "baseless allegations" and that the bank is responsible for the security of all systems that interface with its network, "starting with basic password protection practices."
As part of the audacious online heist - one of the largest in history - hackers attempted to transfer $1 billion out of Bangladesh Bank's account at the Federal Reserve Bank of New York and successfully transferred about $100 million. Most of that money was then laundered via casinos in the Philippines and disappeared, investigators say, although about $20 million has since been recovered.
In the wake of the theft, SWIFT acknowledged that Bangladesh Bank wasn't the first user to be targeted with malware that was designed to subvert the cooperative's messaging platform (see SWIFT Confirms Repeat Hack Attacks).
And for the first time in the cooperative's history, earlier this month SWIFT issued information security guidance to all of its users, urging them to review their security policies and procedures, Reuters reports. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," according to a copy of the letter, dated May 3, and shared by a bank with Reuters for review on May 10.
"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter says. "We urge you to take all precautions."
SWIFT confirmed the authenticity of that report but declined to share a copy of the letter.
Greater Cooperation Pledged
Bangladesh officials had previously stated that they believe that the New York Fed and SWIFT share at least some responsibility of the February attacks. Of 35 transfer orders created by the hackers and submitted to the New York Fed, the Fed stopped most for being suspicious, but did let five through.
But on May 10, representatives from SWIFT met with the Bangladesh Bank, including its governor, and the New York Fed, including its president, to discuss the February attack, and they agreed to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," the three parties said in a jointly issued statement.
FBI investigators now suspect that at least one bank employee acted as an accomplice, Bangladesh Bank officials say they have received no related intelligence from the bureau.
Meanwhile, an investigation by digital forensic investigation firm FireEye, which was hired by the bank to investigate the breach, found evidence that three different hacking groups had penetrated the bank's system, Bloomberg reports. Two of those groups have suspected ties to nation states - one to North Korea, the other to Pakistan - but FireEye said it suspects that a third, as yet unidentified group of hackers committed the heist.
FireEye didn't immediately respond to a request for comment about that report.