{ "id": "6a62d6c2-d393-4817-a718-f1a5d0b17461", "created_at": "2026-04-06T00:08:18.303552Z", "updated_at": "2026-04-10T03:38:19.014653Z", "deleted_at": null, "sha1_hash": "eb4badf25fefc1cdb230e1490362c45fce69196b", "title": "Bangladesh Eyes Insider Angle for SWIFT Bank Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 178595, "plain_text": "Bangladesh Eyes Insider Angle for SWIFT Bank Attack\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 19:08:35 UTC\r\nCard Not Present Fraud , Fraud Management \u0026 Cybercrime , Incident \u0026 Breach Response\r\nWill SWIFT's Forthcoming Security Improvements Blunt Hack-Attack Spree? (euroinfosec) • May 31, 2016    \r\nOfficials at SWIFT have announced a range of new security proposals designed to better secure - and restore\r\nconfidence in - the global money-transfer network as news of yet another suspected attack against the network has\r\ncome to light, this time in the Philippines.\r\nSee Also: Securing Patient Data: Shared Responsibility in Action\r\nThe messaging system maintained by SWIFT - formally known as the Society for Worldwide Interbank Financial\r\nTelecommunication - is designed to guarantee that money-moving messages between banks are authentic. But the\r\nreliability of the system, which is used by more than 11,000 institutions, has been called into question following\r\nrevelations that SWIFT-using banks were falling victim to malware-wielding attackers (see Another SWIFT Hack\r\nStole $12 Million).\r\nFollowing the $81 million theft from the central bank of Bangladesh in February, SWIFT warned that a \"wider\r\nand highly adaptive campaign\" was underway. Investigators now suspect that a dozen or more banks may have\r\nbeen targeted by a group of attackers - possibly with ties to North Korea - who have been using fraudulent SWIFT\r\nmessages to transfer millions into attacker-owned accounts, aided by customized malware that's designed to trick\r\nSWIFT's client software.\r\nhttps://www.bankinfosecurity.com/bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154\r\nPage 1 of 3\n\nBangladesh Suspects Insider Help\r\nThe head of a government-appointed panel investigating the Bangladesh Bank attack - the largest cyber heist in\r\nhistory - reportedly now suspects that one or more insiders may have aided attackers.\r\n\"Earlier we thought no one from Bangladesh Bank was involved, but now there is a small change,\" Mohammed\r\nFarashuddin, a former governor of the Bangladesh central bank, told reporters on May 30, without elaborating as\r\nto the precise nature of the change, Reuters reported.\r\nThe results of the new investigation will be made public in the next 15 to 20 days, Bangladesh Finance Minister\r\nAbul Maal Abdul Muhith told Reuters.\r\nPreviously, Bangladesh officials had blamed both SWIFT and the Federal Reserve Bank of New York for failing\r\nto spot and block the four fraudulent money-transfer messages that were processed. SWIFT, however, dismissed\r\nthose claims, blaming the bank's poor security instead. But earlier this month, all three organizations met and\r\npledged to work more closely together.\r\nBangladesh Bank spokesman Subhankar Saha couldn't be immediately reached for comment about the report's\r\nfindings. But Saha told Reuters that the central bank had yet to see a copy of the report. \"The Bangladesh Bank\r\nmanagement will follow all instructions given by the government,\" he said. \"Actions will be taken as per\r\ninstruction by the government if any central bank officials were found guilty.\"\r\nSecurity researchers now suspect that the same group of attackers may have targeted at least five different banks:\r\nSonali Bank in 2013; an as-yet-unnamed bank in the Philippines in Octpber 2015; Vietnam's Tien Phong Bank in\r\nDecember 2015; Ecuador's Banco del Austro the following month; and Bangladesh Bank in February.\r\nLast week, incident response firm FireEye told Bloomberg that it was investigating eight more suspected incidents\r\ninvolving banks in Asia - including the Philippines - as well as New Zealand. FireEye declined to comment on\r\nthat report.\r\nReport: Philippines Bank Attacked\r\nNow, Symantec says it has identified three more pieces of \"backdoor\" malware - named Fimlis, Fimlis.B and\r\nContopee - designed to give attackers remote access to systems. Symantec says these malware strains share\r\nsignificant code commonalities with the malware used against Bangladesh Bank and TPBank, which researchers\r\nhave tied to the Lazarus Group, which was previously tied to the 2014 Sony Pictures Entertainment hack. The\r\nU.S. government controversially attributed the Sony attack to \"North Korea actors\" (see FBI Attributes Sony Hack\r\nto North Korea).\r\n\"Symantec believes distinctive code shared between families and the fact that [Contopee] was being used in\r\nlimited targeted attacks against financial institutions in the region, means these tools can be attributed to the same\r\ngroup,\" Symantec says in a blog post.\r\nSymantec said it recovered the malware from an October 2015 attack against a Philippines bank which - as noted\r\nabove - it has declined to name.\r\nhttps://www.bankinfosecurity.com/bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154\r\nPage 2 of 3\n\nNestor Espenilla, the deputy governor of the Philippines' central bank, told Reuters that being attacked was not the\r\nsame as being hacked and losing money. \"We are checking if there are similar attacks on Philippine banks,\"\r\nEspenilla said. \"However, no reported losses so far.\"\r\nSWIFT Will 'Expand' Two-Factor Authentication\r\nOn May 27, SWIFT announced that it would be launching a set of five security changes to help better secure and\r\nauthenticate SWIFT messages, including helping banks to better trade threat intelligence as well as detect related\r\nfraud. The measures were previewed last week by SWIFT CEO Gottfried Leibbrandt (see SWIFT Promises\r\nSecurity Overhaul, Fraud Detection).\r\nSWIFT says the effort will commence with \"cooperation with and facilitation of information sharing among\r\noverseers, banks, law enforcement and cybersecurity firms,\" and in the event of an attack include digital forensic\r\nanalysis \"on products and services related to SWIFT connectivity at affected banks, so that other users can protect\r\nthemselves.\"\r\nSWIFT has also promised to beef up the security of the software that it offers customers. \"For example, our\r\ninterface products support two-factor authentication, but we will further expand this and add additional tools,\"\r\naccording to SWIFT's security announcement (see Gartner's Litan Analyzes SWIFT-Related Bank Heists). \"We\r\nwill also increase remote monitoring capabilities of customer environments.\"\r\nWeakest Link Warning\r\nBut the five security improvements being proposed by SWIFT won't be a \"silver bullet\" that suddenly stops\r\nrelated attacks, says Ricardo Villadiego, CEO of anti-fraud firm Easy Solutions. \"Those five points look to me\r\nmore like a recipe for damage control than really going deeper into the problem,\" he says.\r\nWhat's required, he contends, is not just mandatory use of multifactor authentication, but a much more layered\r\nsystem of security defenses. \"The system is only as secure as the weakest link,\" he says, and right now that weak\r\nlink appears to be so many SWIFT-using banks.\r\nSource: https://www.bankinfosecurity.com/bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154\r\nhttps://www.bankinfosecurity.com/bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bankinfosecurity.com/bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154" ], "report_names": [ "bangladesh-eyes-insider-angle-over-swift-bank-attack-a-9154" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434098, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb4badf25fefc1cdb230e1490362c45fce69196b.pdf", "text": "https://archive.orkl.eu/eb4badf25fefc1cdb230e1490362c45fce69196b.txt", "img": "https://archive.orkl.eu/eb4badf25fefc1cdb230e1490362c45fce69196b.jpg" } }