Published on April 29, 2021

Defending attacks to the SWIFT network

  • Rising cyber fraud and insider threat cases continue to plague the financial industry growing the need to secure SWIFT networks 
  • Leveraging behavioral analyses, ReaQta’s Detection Strategies enables banks to fully customize unique sets of detections to guard access to SWIFT networks

As SWIFT cyber fraud rises in recent years, financial institutions today face a devastating aftermath: having their sensitive data exfiltrated and money stolen as attackers infiltrate banks in a targeted, calculated manner while utilizing sophisticated malware.

What is the SWIFT network? It allows banks and other financial institutions to securely send and receive information about financial transactions. 

One of the most prominent cyber attacks relating to SWIFT took place in 2014, perpetrated by the Carbanak group, which resulted in more than $900 million USD stolen from several banks1. In the years after that, a slew of other bank heists was also undertaken globally by different threat actors. Victims of such attacks include Bangladesh’s Central Bank, Far Eastern International Bank in Taiwan2, Banco de Chile amongst other financial institutions. 

Today, the financial sector remains as a prime target for cyber criminals, as the latest Verizon Data Breach Report3 confirms. Most attackers have one ultimate goal: Compromise the SWIFT network so as to create seemingly ‘legitimate’ messages (transactions) to move money outside of organizations.

New call-to-action

Compromised Identities

The 2016 Bangladesh Bank Robbery4, also dubbed the Bangladesh Bank cyber heist, was an epic $81 million cyber fraud that headlined the news. Using the SWIFT credentials of Bangladesh central bank employees, more than three dozen fraudulent money transfer requests were sent to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia.

In the wake of such attacks, significant concerns have been raised about the SWIFT network, as well as the urgency to have effective security measures in place. In response, SWIFT released specific guidelines aimed at strengthening the security posture of all organizations that are connected to the SWIFT network.  

The challenge remains: How can companies monitor and protect access to the SWIFT network so that their network is safe?

Zero Trust

Coined by John Kindervag during his tenure at Forrester, Zero Trust5 is a security framework that “centres on the belief that trust is a vulnerability” and eliminates the idea of a trusted network inside corporate perimeters. Instead, it emphasizes the need to “never trust, always verify” while “assuming breach”. 

In 2020, Tesla became a target of an attempted ransomware attack. A Tesla employee was offered a $1 million bribe to install ransomware on Tesla’s Nevada-based Gigafactory, which could have meant millions in extortion and damages if the attack had succeeded. While the attack was eventually thwarted, it leads us to wonder, “What if the employee had installed the ransomware?”

In an alternate reality, a disgruntled employee or one motivated by the ‘opportunity’ to make fast money might just succumb to the lure. According to Verizon, 34% of data breaches in 2019 were insider attacks, with 71% of data breaches motivated by money. Should the Tesla employee have chosen the route of deploying a ransomware, as a trusted insider, he might have been successful as it would simply have been routine work with the appropriate access and credentials.

As the above example shows, insider threats are an industry-wide phenomenon. Read on for a finance case study that draws a similar picture.

How can one then keep these attackers at bay? ReaQta augments the zero-trust concept through Detection Strategies (Destra) by leaving nothing to chance, even within ‘rightful’ perimeters. 

DeStra Creation

ReaQta’s Detection Strategies for SWIFT– DeStra

ReaQta-Hive provides a unique feature called Detection Strategies (DeStra) specifically created to support advanced teams in the detection of highly sophisticated threat actors (APTs) and to create highly-customized detection scenarios, tailor-fitted to any organization’s security needs. 

All DeStra run in real-time on the endpoint and are capable of identifying and responding to a new behavior as-it-happens. Once a DeStra is created, it is immediately activated across the entire organization within minutes, without any intervention or downtime. Unlike traditional post-processing rules, DeStra playbooks react immediately to any threat, leaving little room for movement for an attacker. 

New call-to-action


With cyber adversaries becoming even more skilled and relentless, attackers today may find a way into the SWIFT network with the help of insiders or via stolen credentials gathered during a traditional attack targeting the IT network. Users with rightful access and permissions to the platform may still act maliciously, disgruntled employees that may pose significant security risks to the entire organization.

To prevent such threats, banks can now create custom-built DeStra on the ReaQta-Hive Platform to detect potential exploits and safeguard against potential deviations from the defined norm from a user or process behaviour. 


ReaQta managed to stop an attempted breach into a SWIFT network. 

During this hacking attempt, a malicious insider (Alice) tried to mask her tracks via the usage of unauthorized scripts that were not native to compromised devices to execute powershell. The powershell scripts were designed to create a backdoor which would allow perpetrators to gain elevated access to the bank’s SWIFT network remotely. Leaving nothing to chance, ReaQta’s DeStra detected the breach right from the beginning.

The first detection shows a user (Alice) first seen accessing the SWIFT network outside of regular working hours on a public holiday in an attempt to compromise the system. Her activity was automatically detected as unusual due to a DeStra violation: Account Logon Outside Of Working Hours. 

DeStra Detection: Alice logging to the SWIFT Network Outside Of Working Hours
DeStra Details: DeStra script shows the detection parameters

In the visual above, DeStra is customized to detect deviations from the defined norm – such as, regular working hours, including the dates, timings and public holidays pertaining to that specific geography. Such parameters can be easily amended and effective on the console without reboots or updates to the endpoint. 

Alice then executed a powershell script via unauthorized applications in the hopes that her activity might not be logged and there would be no one monitoring it. Considering Alice’s credentials as an employee, it was well within her means to do so. But ReaQta’s DeStra left nothing to chance.

DeStra Detection: Powershell script executed

Upon detecting Alice’s unusual account activity in real-time, the endpoint was automatically moved into deep-monitoring mode, making sure that all events surrounding the device were captured. With the information gathered in this mode of extensive monitoring, the behavioural tree re-constructs all processes and behaviours in a chronological sequence, making it easy for analysts to quickly identify anything out of the ordinary by simply looking at the graphical representation.

Data fields contain the following: application/process name, Size, Privilege Level, User, Hash, Signer, CmdLine, Mitre Events, Time, Tactic, Technique, Events. An interactive alert was automatically triggered and sent to the IT security team to notify of potential unusual access to SWIFT endpoints.

Behavioural tree exhibiting the processes and behaviours as a result of the powershell execution

Should Alice’s activity had gone unnoticed, the attacker would have gained unwarranted access and control to the platform, an action which might have led to serious damages – data exfiltration, stolen information, financial loss etc.

ReaQta-Hive monitors SWIFT networks in real-time, protecting its users from such use-cases by detecting user behaviour that goes against predefined parameters. Examples of such events include changes of account privileges, user access outside normal working hours, bruteforce events, new user creation and many more. 

With ReaQta, finance institutions are able to augment Zero-Trust to their SWIFT environments, via the flexibility of creating customized detection scenarios via its proprietary DeStra technology. ReaQta-Hive covers both external and insider threats attempting to execute actions on a highly sensitive network, leaving nothing to chance. Financial institutions that are connected to the SWIFT network now have the weapons in hand to defend their networks from both external and insider threats.


ReaQta is a play on the latin words re acta which is “to react“. 

ReaQta is Europe’s top-tiered AI Autonomous Detection & Response platform, built by an elite group of cybersecurity experts and AI/ML researchers with extensive backgrounds in government intelligence operations. Built with advanced features and the best analyst user experience, ReaQta is the most elegant, powerful and easy-to-use platform that allows organizations to eliminate the most advanced threats in the fastest way possible. 

As experts in AI and behavioral analysis, ReaQta’s proprietary dual-AI engines provide organizations across all industries with complete and fully customised endpoint security, minus all the complexity. Security teams can now do more, with less. To learn more visit or follow us at @ReaQta, on LinkedIn, Twitter or Facebook


[1] Carbanak, Wikipedia.

[2] Taiwan ATM heist linked to European hacking spree: security firm, Reuters.

 [3] 2019 Data Breach Investigations Report’, Verizon.

[4]That Insane, $81M Bangladesh Bank Heist? Here’s What We Know, Wired.

[5] Zero Trust Is Not A Security Solution; It’s A Strategy, Forrester.

Contact Person:

Elizabeth Lee, Communications Manager | 

Schedule a free ReaQta-Hive trial here.