17 April 2017

Media FAQ: Shadow Brokers

Allegations surrounding attempts to gain unauthorised access to data at two service bureaux.

Key Facts:

  • SWIFT has no indication to suggest that our network or core messaging services have been compromised.
  • The allegations, which date back to 2013, suggest that two service bureaux may have been targeted to gain the attackers unauthorised access to their bank customers’ data.
  • Service Bureaux are third-party providers that operate the connection to SWIFT for firms that wish to connect to SWIFT but who want to outsource the day-to-day operation of their SWIFT connection to a third party. Users are free to select a service bureau of their choosing, and remain responsible for all operations they decide to outsource to their selected service bureau.
  • SWIFT is in close contact with the service bureaux concerned to verify that they are aware of the allegations and have appropriate preventative measures in place.
  • Security is paramount, which is why we have been working with the Community through the Customer Security Programme (CSP) to raise awareness and provide tools and guidance around security.
  • Customers should pay close attention their own security and take security into consideration when selecting a service bureau and working with other third party providers.
  • Securing software and systems by immediately installing security updates, patches and software is key to protecting against exploits such as these. SWIFT regularly releases security updates reinforcing our products, thereby protecting against known exploits and vulnerabilities.
  • The CSP aims to help customer and service providers in reinforcing the security of their operating environments (including their Windows or other operating systems) and ensuring the multiple lines of defence that will help protect against compromises. Applying the latest security patches is one of the 16 mandatory controls in the recently published CSP Security Controls Framework: taken together these controls should also significantly mitigate the impact of any such vulnerabilities.

Q: What do these allegations mean?

A: The allegations suggest there may have been attempts to gain unauthorised access to data at two service bureaux. The exploits do not target SWIFT’s infrastructure or data. There is no impact on SWIFT’s infrastructure or data, and there is no evidence to suggest that there has been any unauthorised access to SWIFT’s network or messaging services.

The material that has been published by Shadow Brokers, and which dates back several years, suggests that attempts may have been made by unauthorised third parties to access communications between these service bureaux and their customers.  

While this information is historic, we are in close contact with the service bureaux to remind them of their responsibility to inform their customers and to perform additional checks against the identified and other known threats, as well as to make sure that any necessary additional preventative measures are put in place.

Q: Was SWIFT targeted in these attacks?

A: No, the exploits do not target SWIFT’s infrastructure or data. The allegations suggest that the attackers wanted to gain unauthorised access to data at two service bureaux. Again we can confirm that there is no impact on SWIFT’s infrastructure or data, and we have no evidence to suggest that there has been any unauthorised access to SWIFT’s network or messaging services.

Q: What is a service bureau?

A: Service Bureaux are third-party providers that operate the connection to SWIFT for firms that wish to connect to SWIFT but want to outsource the day-to-day operation of their SWIFT connection to a third party. The services offered by service bureaux typically include sharing, hosting, or operating SWIFT connectivity components, logging on, or managing sessions or security for SWIFT users. Users are free to select a service bureau of their choosing, and remain responsible for all operations they decide to outsource to their selected service bureau.

Q: What is SWIFTs Shared Infrastructure Programme (SIP)?

A: To provide connectivity service to their customers, service bureaux must register under SWIFT’s Shared Infrastructure Programme (SIP), which contains the legal, financial and operational requirements which service bureaux are required to meet. The SIP certification reflects a service bureau’s compliance at a certain point in time with the then current specific SIP requirements.

Service bureaux are responsible for ensuring their continued and effective compliance with the applicable SIP requirements at all times and, more generally, the security of their operations. They are also obliged to notify their customers and SWIFT of incidents and events (for example, security incidents) that impact the provision of their services.

The SIP should never be seen as a substitute for customers performing their own checks and due diligence, nor for customers defining and monitoring their service bureaux’ compliance by with whatever requirements that they believe necessary to protect their operations and data.

Service bureaux that are certified under the SIP are listed on SWIFT.com. Service bureaux and their customers are ultimately responsible for maintaining sound cyber practices and duly securing their operations at all times.  

Q: How has the Shared Infrastructure Programme (SIP) adapted to the growing threat level?

A: SWIFT regularly reviews and adapts the SIP to reflect market developments and the evolving threat environment.

Q: What mitigating actions can SWIFT customers and Service Bureaux take to protect against such threats?

A: Securing software and systems by immediately installing security updates, patches and software is key to protecting against exploits such as these. SWIFT regularly releases security updates reinforcing our products, thereby protecting against known exploits and vulnerabilities.

In our release updates we use the Common Vulnerability Scoring System (CVSS) industry standard to indicate the severity of any vulnerabilities, and we mandate that all customers apply the Security Updates within specified times, thereby protecting against known exploits and vulnerabilities.

The CSP, which has been in place since May 2016, aims to help customer and service providers in reinforcing the security of their operating environments (including their Windows or other operating systems) and in ensuring the multiple lines of defence that will help protect against compromises. Applying the latest security patches is one of the 16 mandatory controls in the recently published CSP Security Controls Framework. Taken together these 16 controls should also significantly mitigate the impact of such vulnerabilities.

We keep our customers updated through our Security Notification Service, and update our tools and guidance on an ongoing to help customers secure their local environments. 

 

For further information please contact:

Finsbury at: +32 (0)2655 3377) or  SWIFT@Finsbury.com

 

SWIFT Insights

  • Discover the latest trends in financial services
  • Keep up with our news updates
  • Read thought-provoking industry reports
  • Explore global events and webinars
Read more