Last checked at 
(Adds that it is still not known how attackers created thefraudulent messages)
By Jim Finkle
April 25 (Reuters) - The attackers who stole $81 millionfrom the Bangladesh centralbank probably hacked into software from the SWIFT financialplatform that is at the heart of the global financial system,said security researchers at British defense contractor BAESystems.
SWIFT, a cooperative owned by 3,000 financial institutions,confirmed to Reuters that it was aware of malware targeting itsclient software. Its spokeswoman Natasha Deteran said SWIFT onMonday released a software update to thwart the malware, alongwith a special warning for financial institutions to scrutinizetheir security procedures.
The developments coming to light the unprecedentedcyber-heist suggest that a lynchpin of the global financialsystem could be more vulnerable than previously understoodbecause of weaknesses that enabled attackers to modify a SWIFTsoftware program installed on bank servers.
The new evidence suggests that hackers manipulated theAlliance Access server software, which banks use to interfacewith SWIFT's messaging platform, in a bid to cover up fraudulenttransfers that had been previously ordered.
The findings from BAE and SWIFT do not explain how thefraudulent orders were created and pushed through the system.That remains a key mystery in ongoing probes into the heist.
Deteran told Reuters on Sunday that SWIFT was issuing thesoftware update "to assist customers in enhancing their securityand to spot inconsistencies in their local database records."She said "the malware has no impact on SWIFT's network or coremessaging services."
The software update and warning from Brussels-based SWIFT,or the Society for Worldwide Interbank FinancialTelecommunication, come after researchers at BAE, whichhas a large cyber-security business, told Reuters they believethey discovered malware that the Bangladesh Bank attackers usedto manipulate SWIFT client software known as Alliance Access.
BAE published its findings on Monday in a blog post onmalware that it said thieves used to cover their tracks anddelay discovery of the heist.
The cyber criminals tried to make fraudulent transferstotaling $951 million from the Bangladesh central bank's account at the Federal Reserve Bank of New York in February.
Most of the payments were blocked, but $81 million wasrouted to accounts in the Philippines and diverted to casinosthere. Most of those funds remain missing.
Investigators probing the heist had previously said thestill-unidentified hackers had broken into Bangladesh Bankcomputers and taken control of credentials that were used to loginto the SWIFT system. But the BAE research shows that the SWIFTsoftware on the bank computers was probably compromised in orderto erase records of illicit transfers.
The SWIFT messaging platform is used by 11,000 banks andother institutions around the world, though only some use theAlliance Access software, Deteran said.
SWIFT may release additional updates as it learns more aboutthe attack in Bangladesh and other potential threats, Deteransaid.
It is also reiterating a warning to banks that they shouldreview internal security.
"Whilst we keep all our interface products under continualreview and recommend that other vendors do the same, the keydefense against such attack scenarios is that users implementappropriate security measures in their local environments tosafeguard their systems," Deteran said.
Adrian Nish, BAE's head of threat intelligence, said he hadnever seen such an elaborate scheme from criminal hackers.
"I can't think of a case where we have seen a criminal go tothe level of effort to customize it for the environment theywere operating in," he said. "I guess it was the realizationthat the potential payoff made that effort worthwhile."
A Bangladesh Bank spokesman declined comment on BAE'sfindings.
A senior official with the Bangladesh Police's CriminalInvestigation Department said that investigators had not foundthe specific malware described by BAE, but that forensicsexperts had not finished their probe.
Bangladesh police investigators said last week that thebank's computer security measures were seriously deficient,lacking even basic precautions like firewalls and relying onused, $10 switches in its local networks.
Still, police investigators told Reuters in an interviewthat both the bank and SWIFT should take the blame for theproblems.
"It was their responsibility to point it out but we haven'tfound any evidence that they advised before the heist," saidMohammad Shah Alam, head of the Forensic Training Institute ofthe Bangladesh police's criminal investigation department,referring to SWIFT.
THWARTING FUTURE ATTACKS
Monday's alert from BAE includes some technical indicatorsthat the firm said it hopes banks could use to thwart similarattacks. Those indicators include the IP address of a server inEgypt the attackers used to monitor use of the SWIFT system byBangladesh Bank staff.
The malware, named evtdiag.exe, was designed to hide thehacker's tracks by changing information on a SWIFT database atBangladesh Bank that tracks information about transfer requests,according to BAE.
BAE said that evtdiag.exe was likely part of a broaderattack toolkit that was installed after the attackers obtainedadministrator credentials.
It is still not clear exactly how the hackers ordered themoney transfers.
Nish said that BAE found evtdiag.exe on a malware repositoryand had not directly analyzed the infected servers. Suchrepositories collect millions of new samples a day fromresearchers, businesses, government agencies and members of thepublic who upload files to see if they are recognized asmalicious and help thwart future attacks.
Nish said he was highly confident the malware was used inthe attack because it was compiled close to the date of theheist, contained detailed information about the bank'soperations and was uploaded from Bangladesh.
While that malware was specifically written to attackBangladesh Bank, "the general tools, techniques and proceduresused in the attack may allow the gang to strike again,"according to a draft of the warning that BAE shared withReuters.
The malware was designed to make a slight change to code ofthe Access Alliance software installed at Bangladesh Bank,giving attackers the ability to modify a database that loggedthe bank's activity over the SWIFT network, Nish said.
Once it had established a foothold, the malware could deleterecords of outgoing transfer requests altogether from thedatabase and also intercept incoming messages confirmingtransfers ordered by the hackers, Nish said.
It was able to then manipulate account balances on logs toprevent the heist from being discovered until after the fundshad been laundered.
It also manipulated a printer that produced hard copies oftransfer requests so that the bank would not identify the attackthrough those printouts, he said.
(Reporting by Jim Finkle in Boston. Additional reporting bySerajul Quadir in Dhaka.; Editing by Jonathan Weber and MartinHowell)