Illusive Blog December 22, 2017

Urgent Actions to Prevent Fraud After SWIFT Cyber Attacks

By Matan Kubovsky

As 2017 comes to a close, the string of recent attacks on SWIFT and other financial messaging systems are emerging as one of the main threat trends. News has just surfaced of another such attack – this time impacting Globex Bank in Russia, which took place on December 15th. Attackers apparently attempted to steal almost $1M by manipulating international transfer requests through the systems within the bank that connect to the SWIFT messaging service. 

SWIFT’s own systems did not seem to be affected. A group called Cobalt appears to be responsible. Earlier this month, similar attacks by a group called MoneyTaker came to light, impacting various Russian and US banks.

How effective were the bank’s security controls?

According to the Russian news source, Kommersant, the bank had recently passed an audit by a certified reviewer. We do not know whether any audit findings were outstanding, but many documented cases show that being in good standing from a regulatory perspective does not guarantee protection from advanced persistent threats (APTs) or other cyberattacks.


While specifics are not known about this incident, GroupIB indicates that Cobalt has historically used common APT tactics and tools. Their campaigns typically begin with a spear-phishing email, which enables remote access tools to be installed on users’ machines within the bank. They use Mimikatz to extract valid user credentials from these machines, enabling them to move with relative ease from one system to another. Along the way, they establish a picture of which programs are in use on the various machines to ultimately identify systems that can connect to their targets—in this case, SWIFT services. They steadily make their way to their targets, and like most advanced attackers, carefully cover their tracks to avoid detection.

How long did it take to detect the attacker?

Illusive Networks specializes in detecting the lateral movements of an attacker from initial point of entry to his ultimate target. Again, we do not know the details of this case, but experience tells us that it takes an attacker anywhere from weeks or months to reach critical systems once they have infiltrated a network.

Four factors that strengthen advanced threat protection:

  1. Shore up vulnerability management processes. It is essential to know which systems are on the priority list, and to implement software updates for them as quickly as possible.
  2. Know the enemy. Antivirus and most other detection programs continuously search for previously identified “indicators” of threats, but the ability to identify zero-days or previously unknown threats requires being up-to-date on the tools and tactics used by hackers and cybercriminals.
  3. Be able to detect lateral movements. The fastest way to catch an elusive attacker is to have the ability to know when he (or she) is moving across the environment, which is the premise of endpoint-based deception technology. Deceptions should be continuously shaped to counteract the changing tools and methods of the attacker, which reduces the burden on security teams to “know the enemy.”
  4. Doublecheck your network segregation. In many cases, as attackers are discovering potential paths to “crown jewels”, they find actual connections between systems that bypass the network segregation policies the company thinks are in effect. Security teams need the means to continuously validate network segmentation.


The wave of attacks on financial messaging systems is an indicator of cyberthreats becoming more targeted—and particularly designed to exploit third-party information-sharing and communications systems. As the cyber risk posture of entities that make up the global economy becomes more interdependent, widespread attention to these four practices will improve advanced threat protection for each organization, and for the financial system as a whole.