Symantec: Another hacking group is targeting SWIFT users

"Discreet campaign" of malware attacks target banks

Symantec has warned that a second set of cybercriminals may have hacked banks who use SWIFT, after discovering a campaign of "discreet" malware attacks against financial organisations this year.

Organisations operating in sectors such as banking, trading and payroll have fallen victim to attacks using a previously undocumented malware called 'Trojan.Odinaff', according to new research by the cybersecurity firm.

Evidence suggests that users of SWIFT, the international messaging system used by many financial organisations, were targeted by this malware, which would hide fraudulent payment notifications from the user.

Symantec has confirmed to IT Pro that it has "logged 74 infections corresponding to individual computers", but added that some organisations are likely to have multiple infected machines.

Advertisement - Article continues below
Advertisement - Article continues below

A different group made a similar breach in February when $81 million was stolen from a Bangladesh bank. Lazarus, the group believed to have carried out the attack, was also involved in subsequent hacks of banks in Southeast Asia.

The attacks were likely financially motivated, according to Symantec, as 34% of recorded Odinaff hits were against the finance sector.

"Around 60% of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software apps," its report read.

A SWIFT spokeswoman said the company is aware of Odinaff and had shared telltale signs of the threat with its community of users over summer, as well as a "practical example" of the method it employs to breach banks.

Symantec did not name specific companies involved, but said the largest number of attacks by Odinaff were in the US, UK, Hong Kong, Australia, and Ukraine.

"One of the most common methods of attack is through lure documents containing a malicious macro," the report states. "If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer."

Advertisement - Article continues below

Symantec has made links between these latest attacks and the activities of the Carbanak group, which first began operating in 2014 and has reportedly stolen around $1 billion in worldwide hacks. The two groups both favour targets in the finance sector and have used the same IP addresses to connect to servers.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020

Windows 10 and the tools for agile working

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020