Weekly Threat Report 13th October 2017

Created:  13 Oct 2017
Updated:  13 Oct 2017
NCSC building with logo
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting.

Cyber-enabled theft from Taiwanese bank

On 5th October 2017 Taiwan’s Far Eastern International Bank (FEIB) reported that it had fallen victim to a cyber-enabled theft. It is not yet known how much the attackers attempted to steal, but open source reports this figure could be as high as 60 million USD. FEIB states that, owing to errors by the criminals in their SWIFT[1] messaging configuration and efforts to recover the stolen money, estimated losses are less than 500,000 USD.

FEIB’s network was reportedly affected by an unknown strain of malware that passed undetected by the bank’s antivirus software. This initially slowed down the system, potentially as a distraction for the security team. Early indicators suggest the initial malware delivery mechanism was a spear-phishing email, although this is yet to be confirmed.

It is currently too early to draw conclusions as to who was responsible. However, two individuals have been arrested in Colombo, Sri Lanka, whilst withdrawing money from beneficiary accounts.

At this stage, there is no information to suggest the SWIFT network has been compromised. On the other hand, it does demonstrate that competent actors will attempt to exploit local security vulnerabilities to circumnavigate the central network system. It is possible other actors will be inspired to attempt similar high-yield attacks.

1 The Society for Worldwide Interbank Financial Telecommunications (SWIFT) is a secure messaging system that enables financial institutions worldwide to send and receive information about financial transactions.

Mergers and Acquisitions – Don’t forget cyber security due diligence!

Rigzone is one of the oil and gas industry’s main recruitment and networking websites. It was founded in the US in 2000 by David W Kent, who sold the site ten years later for $51million.

Mr Kent went on to found Oilpro which served a very similar purpose and clientele to Rigzone. Kent used backdoors he had inserted before he sold Rigzone to gain access to company data at a later date. Between 2013 and 2016, Kent scraped 700,000 customer accounts which were used to increase membership on the Oilpro website. Having built Oilpro with members stolen from Rigzone, Kent then approached the owners of Rigzone to purchase Oilpro, asking them, in effect, to purchase their own data.

Following suspicions, the owners of Rigzone deployed a honeypot on their system which allowed them to identify suspicious activity and build evidence against Mr Kent. Mr Kent was subsequently arrested, convicted and sentenced to over a year in prison for intentionally accessing a computer without authorisation. The Oilpro website was taken offline in August 2017. The case is a reminder to companies involved with mergers or acquisitions to undertake cyber security due diligence to ensure they understand the key security considerations required to protect their investment.

Equifax Update

Equifax have now confirmed that the personal data of up to 15.2 million UK customers was stolen during the data breach it experienced in May 2017.

The majority of these compromised records may contain the name and date of birth of certain UK consumers, but Equifax have stated that they will contact by post the 693,665 customers who had sensitive data exposed. 

More information and advice for UK Equifax customers affected by the data breach can be found here.


The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No