Shifting cyber threat landscape revealed by SWIFT

A new report published by SWIFT has highlighted how the cyber threat landscape faced by treasury professionals is evolving.

The report on cyber attacks on banks, titled Three years on from Bangladesh: tackling the adversaries, found that:

• Four out of every five of all fraudulent transactions were issued to Beneficiary accounts in South East Asia
• Approximately 70 per cent of attempted thefts were USD-based – but usage of European currencies increased
• The value of each individual attempted fraudulent transaction decreased dramatically – from more than USD$10m to between USD$250,000 and USD$2m
• Extended reconnaissance periods: attackers continue to operate ‘silently’ for weeks or months after penetrating a target, learning behaviors and patterns before launching an attack.
• Timings are shifting: malicious actors previously favored issuing fraudulent payments outside business hours to avoid detection but have more recently turned this approach on its head, acting during business hours to blend in with legitimate traffic.
• New payment corridors: the vast majority of fraudulent transactions investigated over the past 15 months used payment corridors (combinations of target and beneficiary banks) that had not been used during the previous 24 months.

Positive efforts

On a positive note, SWIFT’s study found that the introduction of security-enhancing tools and an increase in the scope and quality of cyber threat intelligence sharing, are paying off.

Based on investigations conducted over the last 15 months, the report shows how closer industry collaboration resulted in the quick identification of financial institutions targeted by cyber criminals – in most cases, before attackers were even able to generate fraudulent messages. In particular, the exchange of relevant and timely cyber threat intelligence has proved critical in effectively detecting and preventing attacks.

Dries Watteyne, Head of Cyber Security Incident Response Team at SWIFT, said: “SWIFT’s threat intelligence sharing has highlighted the changes to cyber criminals’ tactics, techniques and procedures used in attempted attacks, enabling industry participants to understand and respond to the increasingly sophisticated nature of cyber threats.

“In this report, SWIFT reveals important information about the evolving payment profile to enable more accurate detection through business indicators. It is encouraging that detection rates of attempted attacks are increasing, but we need to be mindful that malicious actors adapt rapidly. The industry must continuously strengthen and diversify its defenses, investigate incidents and share information.”

Recommendations

As well as providing insight into the changing nature of the threat base, the report makes a number of recommendations to help finance teams protect themselves from the latest attacks. They include:

• Development of new defensive measures: the development and deployment of security-enhancing innovations will help thwart cyber thieves.
• Increase of information sharing: the more information the community shares and the frequency with which it shares, the better chance of avoiding or fending off an attack.
• Adherence to robust cyber security standards: ensuring strict adherence to strong standards and implementing controls is key to prevention and detection.
• Consumption of counterparty cyber security data: users should incorporate the assessment of counterparties’ attestation data against SWIFT’s Customer Security Controls Framework into their risk management and business decision-making processes.