Cyber Security Case Studies

Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank

Kevin Wong

Kevin Wong

Imran Khan

Imran Khan

In early 2019, a Middle Eastern bank was alerted to numerous fraudulent SWIFT transactions that amassed to over $10 million. The bank soon determined that several of its critical servers and workstations had been sabotaged. Kroll was engaged to investigate how the fraudulent transactions occurred and to identify, contain and remediate the threats attacking the bank’s network.

How Kroll Helped

Kroll examined logs during the timeframe when the fraudulent transactions occurred. Our analysis determined that various servers and workstations, three SWIFT user accounts and several administrator accounts had been used suspiciously throughout the time of the transactions. 

We established that some of the suspect servers and workstations had been sabotaged with a master boot record modification tool that rendered the systems inoperable. We repaired the servers and workstations and conducted a forensic analysis, which enabled us to discover valuable artifacts that the attacker was trying to hide.

Our team quickly deployed Kroll’s CyberDetectER® Endpoint across nearly 3,000 endpoints to identify any malicious activity and binaries. Analysis of the collected artifacts identified several suspicious command and control (C&C) IP addresses and URLs from where malicious tools were being downloaded by the attacker. Network device logs were analyzed, and they revealed that many servers and workstations had been in communication with the C&C servers from late 2018.

Our forensic analysis of infected machines identified the presence of two malware variants: PowerShell Empire and Mimikatz. PowerShell Empire enables full remote access to a system, while Mimikatz is used to capture authentication credentials. 

The attackers had rendered several exchange servers inoperable. After Kroll recovered these mail servers, we identified that rules had been implemented which blocked emails containing the words “swift” and “case” to hide detection of the fraud. 

Kroll Key Deliverables
  • Identified and contained the various malware infecting the bank’s network and restored the environment to a clean state, preventing continued fraudulent SWIFT transactions.
  • Provided specific security recommendations to help prevent further attacks and related financial losses.
  • Conducted a skills gap assessment and provided training for the bank’s security and infrastructure teams.
 
Stay Ahead with Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

24x7 Incident Response

24x7 Endpoint Detection and Response

Intelligent Endpoint detection and response: Maximum confidence in data security

24x7 Endpoint Detection and Response

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Penetration Testing Services

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2024 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top