Symantec: Another hacking group is targeting SWIFT users

"Discreet campaign" of malware attacks target banks

Symantec has warned that a second set of cybercriminals may have hacked banks who use SWIFT, after discovering a campaign of "discreet" malware attacks against financial organisations this year.

Organisations operating in sectors such as banking, trading and payroll have fallen victim to attacks using a previously undocumented malware called 'Trojan.Odinaff', according to new research by the cybersecurity firm.

Advertisement - Article continues below

Evidence suggests that users of SWIFT, the international messaging system used by many financial organisations, were targeted by this malware, which would hide fraudulent payment notifications from the user.

Symantec has confirmed to IT Pro that it has "logged 74 infections corresponding to individual computers", but added that some organisations are likely to have multiple infected machines.

A different group made a similar breach in February when $81 million was stolen from a Bangladesh bank. Lazarus, the group believed to have carried out the attack, was also involved in subsequent hacks of banks in Southeast Asia.

The attacks were likely financially motivated, according to Symantec, as 34% of recorded Odinaff hits were against the finance sector.

"Around 60% of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software apps," its report read.

Advertisement - Article continues below

A SWIFT spokeswoman said the company is aware of Odinaff and had shared telltale signs of the threat with its community of users over summer, as well as a "practical example" of the method it employs to breach banks.

Advertisement - Article continues below

Symantec did not name specific companies involved, but said the largest number of attacks by Odinaff were in the US, UK, Hong Kong, Australia, and Ukraine.

"One of the most common methods of attack is through lure documents containing a malicious macro," the report states. "If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer."

Symantec has made links between these latest attacks and the activities of the Carbanak group, which first began operating in 2014 and has reportedly stolen around $1 billion in worldwide hacks. The two groups both favour targets in the finance sector and have used the same IP addresses to connect to servers.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020