Symantec: Another hacking group is targeting SWIFT users

Banking written in red surrounded by coding

Symantec has warned that a second set of cybercriminals may have hacked banks who use SWIFT, after discovering a campaign of "discreet" malware attacks against financial organisations this year.

Organisations operating in sectors such as banking, trading and payroll have fallen victim to attacks using a previously undocumented malware called 'Trojan.Odinaff', according to new research by the cybersecurity firm.

Evidence suggests that users of SWIFT, the international messaging system used by many financial organisations, were targeted by this malware, which would hide fraudulent payment notifications from the user.

Symantec has confirmed to IT Pro that it has "logged 74 infections corresponding to individual computers", but added that some organisations are likely to have multiple infected machines.

A different group made a similar breach in February when $81 million was stolen from a Bangladesh bank. Lazarus, the group believed to have carried out the attack, was also involved in subsequent hacks of banks in Southeast Asia.

The attacks were likely financially motivated, according to Symantec, as 34% of recorded Odinaff hits were against the finance sector.

"Around 60% of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software apps," its report read.

A SWIFT spokeswoman said the company is aware of Odinaff and had shared telltale signs of the threat with its community of users over summer, as well as a "practical example" of the method it employs to breach banks.

Symantec did not name specific companies involved, but said the largest number of attacks by Odinaff were in the US, UK, Hong Kong, Australia, and Ukraine.

"One of the most common methods of attack is through lure documents containing a malicious macro," the report states. "If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer."

Symantec has made links between these latest attacks and the activities of the Carbanak group, which first began operating in 2014 and has reportedly stolen around $1 billion in worldwide hacks. The two groups both favour targets in the finance sector and have used the same IP addresses to connect to servers.

Dale Walker

Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.