Symantec: Another hacking group is targeting SWIFT users

"Discreet campaign" of malware attacks target banks

Symantec has warned that a second set of cybercriminals may have hacked banks who use SWIFT, after discovering a campaign of "discreet" malware attacks against financial organisations this year.

Organisations operating in sectors such as banking, trading and payroll have fallen victim to attacks using a previously undocumented malware called 'Trojan.Odinaff', according to new research by the cybersecurity firm.

Evidence suggests that users of SWIFT, the international messaging system used by many financial organisations, were targeted by this malware, which would hide fraudulent payment notifications from the user.

Symantec has confirmed to IT Pro that it has "logged 74 infections corresponding to individual computers", but added that some organisations are likely to have multiple infected machines.

Advertisement - Article continues below

A different group made a similar breach in February when $81 million was stolen from a Bangladesh bank. Lazarus, the group believed to have carried out the attack, was also involved in subsequent hacks of banks in Southeast Asia.

The attacks were likely financially motivated, according to Symantec, as 34% of recorded Odinaff hits were against the finance sector.

"Around 60% of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software apps," its report read.

A SWIFT spokeswoman said the company is aware of Odinaff and had shared telltale signs of the threat with its community of users over summer, as well as a "practical example" of the method it employs to breach banks.

Symantec did not name specific companies involved, but said the largest number of attacks by Odinaff were in the US, UK, Hong Kong, Australia, and Ukraine.

"One of the most common methods of attack is through lure documents containing a malicious macro," the report states. "If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer."

Symantec has made links between these latest attacks and the activities of the Carbanak group, which first began operating in 2014 and has reportedly stolen around $1 billion in worldwide hacks. The two groups both favour targets in the finance sector and have used the same IP addresses to connect to servers.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019