Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank

In early 2019, a Middle Eastern bank was alerted to numerous fraudulent SWIFT transactions that amassed to over $10 million. The bank soon determined that several of its critical servers and workstations had been sabotaged. Kroll was engaged to investigate how the fraudulent transactions occurred and to identify, contain and remediate the threats attacking the bank’s network.

How Kroll Helped

Kroll examined logs during the timeframe when the fraudulent transactions occurred. Our analysis determined that various servers and workstations, three SWIFT user accounts and several administrator accounts had been used suspiciously throughout the time of the transactions. 

We established that some of the suspect servers and workstations had been sabotaged with a master boot record modification tool that rendered the systems inoperable. We repaired the servers and workstations and conducted a forensic analysis, which enabled us to discover valuable artifacts that the attacker was trying to hide.

Our team quickly deployed Kroll’s CyberDetectER® Endpoint across nearly 3,000 endpoints to identify any malicious activity and binaries. Analysis of the collected artifacts identified several suspicious command and control (C&C) IP addresses and URLs from where malicious tools were being downloaded by the attacker. Network device logs were analyzed, and they revealed that many servers and workstations had been in communication with the C&C servers from late 2018.

Our forensic analysis of infected machines identified the presence of two malware variants: PowerShell Empire and Mimikatz. PowerShell Empire enables full remote access to a system, while Mimikatz is used to capture authentication credentials. 

The attackers had rendered several exchange servers inoperable. After Kroll recovered these mail servers, we identified that rules had been implemented which blocked emails containing the words “swift” and “case” to hide detection of the fraud. 

Kroll Key Deliverables
  • Identified and contained the various malware infecting the bank’s network and restored the environment to a clean state, preventing continued fraudulent SWIFT transactions.
  • Provided specific security recommendations to help prevent further attacks and related financial losses.
  • Conducted a skills gap assessment and provided training for the bank’s security and infrastructure teams.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Endpoint Detection and Response

Intelligent Endpoint detection and response: Maximum confidence in data security

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.