Hackers who broke into Bank of Valletta’s IT systems last month could have tried to keep a ‘back door’ to try to regain access though this was noticed and blocked, the Times of Malta is informed.
Sources close to the investigation into last month’s cyberattack said that in the days after the breach, files were found hidden in the bank’s systems, possibly intended to allow the hackers to regain access at a later stage.
The hackers took €13 million from the bank on February 13 and crippled its operations for long hours.
Investigations are being carried out by the police, the financial services watchdog, the State IT authority and foreign counterparts to try and trace the missing cash and fish out any flaws in banking security systems.
Read: How BOV hackers got away with €13 million
The hackers are being dubbed EmpireMonkey by investigators due to the use of a hacking tool known as PowerShell Empire, which allowed the group to move around in the bank’s systems after having gained access.
The sources said that one potential suspect was the international hacking organisation known as Cobalt Gang, which wreaked havoc on the international banking sector. It is believed to have stolen as much as €1 billion from banks in as many as 40 countries in recent years.
The suspect group, the sources continued, had been known to infiltrate international banks’ ATM systems, card-processing networks and the international interbank payment messaging programme SWIFT before executing attacks.
New guidelines on security being drawn up
A review of the bank breach has already indicated that the hackers could have been attempting to infiltrate it as far back as October 2018. The sources said similar ‘phishing’ – a method used to break into a computer system via electronic communication – had first been detected locally some four months ago.
This had the same digital fingerprint as the hacking group believed to have carried out last month’s heist.
The hacking group was also believed to have targeted another Maltese bank, however their attempts appeared to have been unsuccessful, the sources noted.
The sources were quick to point out that banks regularly received such threats and attempts to infiltrate their systems were commonplace.
Times of Malta has reported that the hackers were believed to have broken into the Autorité des Marchés Financiers, which regulates the stock exchange in France, last year.
They then sent out e-mails to Maltese and French entities posing as the regulator and using an e-mail that included official letterheads and a decoy document which, when clicked on, gave the hackers access to the bank’s systems. The hackers then sought to move hefty sums to international banks in the UK, the US, the Czech Republic and Hong Kong.
The sources added the authorities had identified the BOV computers where the malicious e-mails were received and which inadvertently gave the hackers the keys to the vault.
Read: Just €19 left and 'no access to my own money'
It is not yet clear how long the hackers had access to the bank’s systems before the robbery was carried out.
Meanwhile, sources close to the financial regulator said new guidelines on banking security were being drawn up in the wake of the cyberattack.
“These sort of attacks can happen but we are concerned that security might be lacking in some of the island’s banking network. For this reason, we are reviewing standards and best practices,” the sources pointed out.
Times of Malta reported last week that BOV was closing a number of accounts over the past weeks, mostly in US dollar denominations, citing “client relationship reviews”.
Read: As cybercrime grows, banks are increasingly being targeted
As the island is facing increasing pressure on its reputational risk, particularly due to claims of lax monitoring against money-laundering and proceeds from organised crime, BOV informed some of its clients it would be closing down their accounts.
Clients, mostly international businesses and wealthy individuals, have been told that while the bank will continue to provide banking services in other currencies, it would close their dollar accounts with immediate effect.