First, Attackers Distracted Bank, Using Buhtrap Malware to Cause Mayhem
A common hacker tactic is to deploy destructive malware to distract defenders from a separate, full-on attack that targets an organization's crown jewels. Call it the electronic version of a smash-and-grab attack, but without breaking windows.
This "smokescreen" style of attack was most recently used against Banco de Chile, the country's second largest bank, which on May 24 lost about $10 million due to fraudulent SWIFT wire transfers. The theft happened while the bank was dealing with hundreds of workstations and servers that suddenly stopped working.
The Banco de Chile attack follows an uptick in attacks against banks in Latin America. Last month, five banks in Mexico saw attacks against the Interbank Electronic Payments, known as SPEI, which is used for domestic interbank transfers (see Mexico Investigates Suspected Cyberattacks Against 5 Banks).
Researchers with business risk intelligence firm Flashpoint say they've analyzed the malware used for the distraction portion of the attack against Banco de Chile. It's MBR Killer, a component of Buhtrap, a malware program that first struck Russian banks in 2015.
Buhtrap is a portmanteau of the Russian word "buhfalter" that means accountant, and trap, according to the anti-virus firm ESET.
MBR Killer tampers with the master boot record, the first sector of a hard drive that the computer calls on before loading the operating system. The component renders the local operating system and MBR unreadable, Flashpoint says.
Flashpoint says the attacks in Mexico and Chile don't appear to be connected. And there are no reliable clues for attribution, either. The source code for Buhtrap leaked in early 2016, Group-IB wrote in a March 2016 report on the group and malware. That means any group could be using it now to cause havoc.
On June 6, Trend Micro published a post describing essentially the same malware, saying it affected a bank in Latin America in May. But it did not identify the victim as Banco de Chile.
Bricked Workstations, Servers
Banco de Chile said in a May 28 statement that a virus struck the banks' workstations, affecting cashiers and hampering branch services and phone banking. The workstations were then disconnected, which affected operations, but was needed to stop the malware from spreading further.
Ahora Noticias, an arm of the Chilean television broadcaster Mega, reported Saturday that a Banco de Chile official says that attack cost the bank $10 million.
The bank did not release that figure in its statement. But it said that the defensive steps it took as the attack unfolded protected client funds and transaction records.
Banco de Chile General Manager Eduaro Ebensperger Orrego told the publication Latercera that it was eventually determined the initial attacks were likely a distraction. The real target was the bank's SWIFT system, which relays messages to coordinate international wire transfers.
"We found some strange transactions in the SWIFT system," Ebensperger tells Latercera. "There we realized that the virus was not necessarily the underlying issue."
The bank was able to stop some of the fraudulent transactions, Ebensperger says. Banco de Chile has also made a complaint in Hong Kong, where some of the funds were sent, he tells Latercera.
The bank widely uses Microsoft Windows. Microsoft and Dreamland, a Swiss consultancy, were called in to perform forensic analyses, Latercera reported.
Chile has been seeking to improve its security stance in the banking sector.
The financial regulator, La Superintendencia de Bancos e Instituciones Financieras de Chile, or SBIF, gave a presentation before Chile's Senate Economy Committee on June 6 that addressed the Banco de Chile attack.
Superintendent Marco Farren told lawmakers that Banco de Chile incident demonstrates an opportunity for cybersecurity improvements. In January, the SBIF issued a cybersecurity standard that enforces the view of the finance system as critical infrastructure.
The SBIF's medium-term goals are on-site evaluation of banks and their risk approaches. The regulator also plans to create institutional framework for managing risk.
SWIFT: Attractive Target
SWIFT, short for The Society for Worldwide Interbank Financial Telecommunication, is a Brussel-based cooperative. Some 11,000 banks worldwide use the group's messaging system, making it an attractive, widespread target.
Attackers haven't exploited specific vulnerabilities in SWIFT systems, but rather sought to exploit weak controls at banks, compromising key accounts for bank officials in order to create fraudulent transfers.
In early 2016, attackers tried to transfer $951 million out of the New York Federal Reserve account of Bangladesh Bank. Simple mistakes prevented the full amount from transferring, but $81 million was stolen. A portion was later recovered, and North Korea has been blamed for theft (see Bangladesh Bank Ends FireEye Investigation Into Heist).
Since that breathtaking attack, banks around the world have seen attempts to undermine their SWIFT infrastructures. To its credit, SWIFT has sought to raise awareness and improve security, tripling its security team and launching a 24/7 operations center.