Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank Publication

or to bookmark this page

Click here to bookmark this page

Click here to remove bookmark

Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank

  • Ioan Peters is an Associate Managing Director
    Ioan Peters IoanPeters
  • Kevin Wong Kevin Wong
  • Imran Khan Imran Khan

In early 2019, a Middle Eastern bank was alerted to numerous fraudulent SWIFT transactions that amassed to over $10 million. The bank soon determined that several of its critical servers and workstations had been sabotaged. Kroll, a division of Duff & Phelps, was engaged to investigate how the fraudulent transactions occurred and to identify, contain and remediate the threats attacking the bank’s network.

How Kroll Helped

Kroll examined logs during the timeframe when the fraudulent transactions occurred. Our analysis determined that various servers and workstations, three SWIFT user accounts and several administrator accounts had been used suspiciously throughout the time of the transactions. 

We established that some of the suspect servers and workstations had been sabotaged with a master boot record modification tool that rendered the systems inoperable. We repaired the servers and workstations and conducted a forensic analysis, which enabled us to discover valuable arteifacts that the attacker was trying to hide.  

Our team quickly deployed Kroll’s CyberDetectER® Endpoint across nearly 3,000 endpoints to identify any malicious activity and binaries. Analysis of the collected artifacts identified several suspicious command and control (C&C) IP addresses and URLs from where malicious tools were being downloaded by the attacker. Network device logs were analyzed, and they revealed that many servers and workstations had been in communication with the C&C servers from late 2018.

Our forensic analysis of infected machines identified the presence of two malware variants: PowerShell Empire and Mimikatz. PowerShell Empire enables full remote access to a system, while Mimikatz is used to capture authentication credentials. 

The attackers had rendered several exchange servers inoperable. After Kroll recovered these mail servers, we identified that rules had been implemented which blocked emails containing the words “swift” and “case” to hide detection of the fraud. 

Kroll Key Deliverables
  • Identified and contained the various malware infecting the bank’s network and restored the environment to a clean state, preventing continued fraudulent SWIFT transactions.
  • Provided specific security recommendations to help prevent further attacks and related financial losses.
  • Conducted a skills gap assessment and provided training for the bank’s security and infrastructure teams.   
Kroll Contains, Remediates SWIFT System Cyber Fraud for Middle Eastern Bank 2019-07-19T04:00:00.0000000 /en/insights/publications/cyber/kroll-swift-system-cyber-fraud-middle-eastern-bank /-/media/kroll/images/publications/featured-images/2019/kroll-middle-eastern-swift-fraud.jpg publication {E39587AD-8F0B-4FE2-865F-969BC5501096} {3A077BFC-C74A-40AF-A14C-13BCF6E3873E} {017AF13C-E8EA-412B-9488-C67D28107B27} {F7669293-38FA-4E53-9244-F89C953E8631} {000DE5BE-6355-408E-85E6-1C296A187DF5}

Other Areas We Can Help

Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk
Incident Response and Litigation Support

24x7 Incident Response

Compliant notifications, reputation-saving remediation, and litigation support.

24x7 Incident Response
Cyber Risk: The New Due Diligence Frontier

Penetration Testing Services

Assess clients' info security through simulated attacks using real-world hacker techniques.

Penetration Testing Services



CVE-2020-1472: Microsoft Releases Unusual Two-Phase Patch to Enforce Secure RPC

Cyber Risk

Proceed with Caution: Using Controls to Manage Risk in Digital Currency Transactions

Cyber Risk

Has COVID–19 Impacted Your Ability to Preserve Evidence for Future Litigation?