Cyber Incident Victim: Tien Phong Bank
Date:
Dec 2015
Location:
Viet Nam
Summary
An attempted cyber heist targeted Tien Phong Bank using fraudulent SWIFT messages to request transfers exceeding 1 million euros, which was detected and halted before funds were moved. The attack involved malware installed on a third-party vendor's infrastructure used to connect to SWIFT, prompting the bank to discontinue that vendor and adopt a more secure direct connection system. No financial losses or system disruptions occurred. Cybersecurity firm BAE Systems linked the malware to tactics similar to those used in the Bangladesh Bank heist, involving compromised PDF readers to manipulate SWIFT transaction records, though the bank initially denied being affected when first contacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2015, Tien Phong Bank (TPBank) of Vietnam identified suspicious SWIFT message requests attempting to fraudulently transfer over 1 million euros ($1.1 million) from its systems. The incident occurred during the fourth quarter of the year and involved attackers using compromised infrastructure from an unnamed third-party vendor that provided connectivity to the SWIFT messaging network. TPBank detected the fraudulent transfer requests promptly and prevented fund movement by immediately contacting involved parties, resulting in no financial losses. The bank stated the attack did not impact its SWIFT system or general customer transaction operations. Forensic analysis indicated malware installed on a software application used by the external vendor facilitated the attack, potentially aligning with SWIFT’s contemporaneous warnings about malware targeting PDF readers used to review transaction statements. The vendor’s servers were located overseas, though TPBank did not disclose their jurisdiction. Following the incident, TPBank terminated its relationship with the vendor and implemented a new, more secure system enabling direct SWIFT connectivity.
The attempted heist shared technical similarities with the February 2016 Bangladesh Bank cyber theft, where attackers stole $81 million using fraudulent SWIFT messages. Cybersecurity firm BAE Systems had previously reported malware targeting a Vietnamese bank via SWIFT messages but did not name TPBank, which initially denied involvement when contacted by Reuters before confirming the attack days later. SWIFT acknowledged a "small number" of similar fraud cases among its customers but declined to comment specifically on TPBank’s incident. The bank, recognized for its technological capabilities and awarded "Best Internet Banking" by The Asian Banker shortly before the disclosure, emphasized its modern security posture despite the breach originating from third-party infrastructure. Key shareholders including Doji, Vietnam National Reinsurance Corporation, and SBI Ven Holding were not reported to have been directly affected. SWIFT’s awareness timeline regarding the TPBank attempt and any subsequent preventive measures remained unclear at the time of reporting.