Cyber Incident Victim: Society for Worldwide Interbank Financial Telecommunication
Date:
Oct 2016
Location:
Bangladesh
Summary
A hacking group linked to Odinaff employed methods similar to the Bangladesh Bank heist to target financial institutions using the SWIFT network, deploying malware tools such as Mimikatz, PsExec, and PowerShell via phishing emails. The attackers intercepted SWIFT messages containing specific transaction keywords and used a suppressor component to remove them from local systems, preventing detection or recovery by recipients. This activity marked a shift from earlier attacks on banking customers to direct targeting of financial institutions, though the success of fund extraction remained unclear. Symantec researchers identified the tools and tactics, highlighting the group's global focus on compromising payment systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2016, cybersecurity researchers at Symantec identified a hacking group exploiting the SWIFT international payment messaging system through methods resembling the Bangladesh Bank heist earlier that year. The attackers, linked to the Odinaff group, deployed malware via phishing emails to compromise financial institutions globally. Once inside bank networks, they utilized a suite of tools including Mimikatz for credential theft, PsExec for remote execution, Netscan for network reconnaissance, and variants of Ammyy Admin for remote access. PowerShell scripts were employed to automate malicious activities. The primary objective involved intercepting SWIFT transaction messages by monitoring infected systems for specific keywords or account numbers. Upon detecting a targeted transaction, a specialized 'suppressor' component removed related message logs from local systems to obstruct detection and recovery by bank personnel. This approach aimed to conceal fraudulent transfers by preventing legitimate recipients from viewing or retrieving altered payment instructions. The operational timeline indicated activity beginning earlier in 2016, though specific breach dates at individual institutions remained undisclosed. Symantec's findings suggested coordinated targeting of multiple banks but did not confirm successful fund thefts.
The incident marked a strategic shift in cybercriminal focus from retail banking customers to direct attacks on financial institutions' transaction systems. By replicating the Bangladesh Bank attack methodology, the group demonstrated persistent adaptation of advanced tools to manipulate financial messaging infrastructure. The use of suppressor malware specifically tailored to SWIFT message workflows indicated detailed knowledge of bank operational procedures. While the scale of compromised institutions was not quantified, the global targeting pattern aligned with Odinaff's broader campaign against financial entities. Security experts including Kevin Bocek of Venafi observed that such attacks reflected an escalating trend toward systemic financial system exploitation rather than isolated fraud attempts. The absence of confirmed monetary losses in public reporting left the operational impact uncertain, though the technical capability to suppress transaction records created inherent risks of undetected fund diversion. Financial industry analysts emphasized the growing sophistication of tools repurposed from earlier attacks, highlighting ongoing challenges in securing interbank payment networks against evolving threats.