As it turns out, SWIFT isn't the only inter-bank payments system that has been infiltrated by shadowy hackers who've spotted an opportunity to steal tens of millions of dollars with a few keystrokes.
More than two years after cybercriminals stole $81 million from the Central Bank of Bangladesh's custody account at the New York Fed, criminals who are believed to be affiliated with North Korea managed to infiltrate Bancomext - a state-owned trade bank, Bloomberg reported, adding that the attack took place in January. But their plan to steal $110 million was foiled by a vigilant bank employee who managed to stop the transfer before it arrived at its destination (they were disguised as donations from the Mexican bank to a Korean church. Fortunately when the fraudulent transaction was requested, banks in Korea were closed, and Bancomext managed to reverse the transaction before they opened), according to Bloomberg.
Bank executives suspended operations while they sorted through the bank's transactions to try and root out other fraudulent orders. But after learning of the intrusion, Mexico's central bank did something very unusual. One would think that the bank would at least want to get the word out that a shadowy group of criminals nearly succeeded in stealing hundreds of millions of dollars from the state: But instead, it stayed quiet.
Once the central bank was aware of Bancomext’s issues, it directed some other banks to double-check the security of their operations, but it didn’t provide them any detail about what to look for, according to two people with knowledge of the matter who asked not to be identified because the information is private.
A spokeswoman said the level of detail the central bank provided reflected the amount of information it had at the time. Experts consulted by Bancomext would later tell the bank that hackers had managed to penetrate its Swift connection thanks to a so-called "next generation" virus that had probably been activated after an employee clicked on a malicious email attachment. It had likely sat undetected in the bank’s systems for several months or even years, allowing hackers to assemble data on typical operations so it’d be easier to disguise the theft.
Given the the central bank's reticence, it perhaps shouldn't come as a surprise that cybercriminals have so far managed to steal about $15 million from Mexican banks by infiltrating Mexico's domestic inter-bank payments system, known as SPEI.
At least one of the incidents was detected by the central bank, which noticed "irregularities" in the accounts of a small financial institution connected to Mexico's SPEI payments network on April 17. But it didn't disclose the irregularities until 10 days later because, it said, the incident seemed like an isolated occurrence.
About a week later, officials at Grupo Financiero Banorte noticed hundreds of irregular transactions being sent through SPEI. It soon learned that Banorte - one of Mexico's largest bank - had endured a cyberattack. By then, Banxico was aware of three firms' being attacked via the SPEI network. On May 2, a fourth institution told the central bank that it, too, had been hacked. The next week the number grew to five.
Still, Banxico kept information close and opted not to issue a warning about the SPEI network or SWIFT. The banks also stayed silent, purportedly out of fear they could be punished under a new Mexican law that requires banks to have certain protocols in place to fend off cyberattackers.
Of course, these types of cyberattacks on financial institutions haven't been confined to Mexico and Bangladesh. Hackers have successfully stolen money from Ecuador's Banco del Austro and Vietnam's Tien Phong Commercial Joint Stock Bank.
As one security expert who spoke with Bloomberg pointed out, cooperation and communication make the entire system stronger.
But experts agree that sharing information makes the whole system stronger.
"It’s so important that these banks talk to each other, that they share the best practices," said David Schwartz, chief executive officer of the Florida International Bankers Association, a Miami-based trade association. "There’s not enough of that" in Mexico, he said.
"The idea is to have an understanding among authorities and financial entities that whenever you get some type of shock or cybersecurity event, you should share it, and everyone will have information and clarity about what’s going on," Diaz de Leon said.
The lack of communication was, to some degree, motivated by ignorance.
Up until now, online security hasn’t been taken seriously in Mexico’s banking sector, according to Federico De Noriega, a partner in the finance group at Hogan Lovells in Mexico City. He cited his experience representing a foreign insurance company that was marketing policies to protect against cyberattacks to financial institutions in Mexico.
"There was a lot of ignorance," De Noriega said. "That tells you people aren’t aware of this risk, or they’re not taking it seriously. I think they’ll start taking it more seriously now."
After the raids resulted in a total $15 million stolen from the Mexican banking system, Banxico finally acted, placing new limits on withdrawals. The head of payments, meanwhile, departed the central bank. Mexico's Attorney General is also looking into the incidents. It's widely believed that, to infiltrate the SPEI system, the hackers would've needed help from an insider. But regardless of how they pulled it off, the question of whether Banxico is doing enough to secure the country's banks still hasn't been answered.