The Kyiv branch of ISACA, the Information Systems Audit and Control Association, reported this week that the theft had occurred via the SWIFT international banking system, the organization responsible for managing money transfers between financial institutions worldwide.
ISACA announced the theft after members of its Kyiv chapter were hired through consulting organizations to investigate a hack at a Ukrainian bank. It did not name which bank had hired it to conduct the investigation.
“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” ISACA said in a release.
The organization said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.
ISACA said that the hackers likely used publicly available information and tools to commit the theft. The organization also added that the same hack had likely spread to other banks in the Ukrainian financial system.
“Banks now are not sharing such information at all and are afraid of publicity,” said Aleksey Yankovsky, head of ISACA’s Kyiv division.
The announcement follows months of controversy surrounding the security of SWIFT. In February, hackers managed to steal more than $100 million from the Bangladesh Central Bank’s account in the New York Federal Reserve through an attack made via the SWIFT network. That incident led to calls for renewed attention to the system’s safety, as well as criminal investigations by Bangladesh, the Philippines, and the United States.
Ukraine’s banking sector has also come under repeated criticism for a failure to implement Western-style security standards, as well as for a slew of other allegedly bad practices.
Correction: This article was updated to clarify that individual members of ISACA’s Kyiv chapter performed the investigation, not the organization directly.