{ "type": "bundle", "id": "bundle--e33dc924-9a94-4277-ad81-4c6a091aead8", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "objects": [ { "type": "extension-definition", "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "name": "Attack Flow", "description": "Extends STIX 2.1 with features to create Attack Flows.", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", "version": "2.0.0", "extension_types": [ "new-sdo" ], "external_references": [ { "source_name": "Documentation", "description": "Documentation for Attack Flow", "url": "https://center-for-threat-informed-defense.github.io/attack-flow" }, { "source_name": "GitHub", "description": "Source code repository for Attack Flow", "url": "https://github.com/center-for-threat-informed-defense/attack-flow" } ] }, { "type": "identity", "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "spec_version": "2.1", "created": "2022-08-02T19:34:35.143Z", "modified": "2022-08-02T19:34:35.143Z", "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", "name": "MITRE Center for Threat-Informed Defense", "identity_class": "organization" }, { "type": "attack-flow", "id": "attack-flow--f3b47305-45b4-45ac-872b-6a947b55fc58", "spec_version": "2.1", "created": "2022-10-27T02:44:54.520Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "created_by_ref": "identity--eb7f2e23-9627-4b9b-ba35-a540267da6bf", "start_refs": [ "attack-action--d958677e-8790-4ad2-8b04-8d71489f7ac2", "attack-action--d6d5a619-e4ca-4e52-ac42-7b27c389d27d", "attack-action--a0340333-a246-48d0-b405-a6d09375e706" ], "name": "SWIFT Heist", "description": "A financial crime involving the SWIFT banking network.", "scope": "incident", "external_references": [ { "source_name": "Cyber UK", "description": "Article", "url": "https://cyber.uk/areas-of-cyber-security/nation-state-hackers-case-study-bangladesh-bank-heist/" }, { "source_name": "NYTimes", "description": "Article", "url": "https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html?mtrref=undefined&gwh=39B90281F7FE0DFD1876E89D17BFE7C5&gwt=pay&assetType=PAYWALL" }, { "source_name": "Wired", "description": "Article", "url": "https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/" }, { "source_name": "Reuters", "description": "Article", "url": "https://www.reuters.com/investigates/special-report/cyber-heist-federal" } ] }, { "type": "identity", "id": "identity--eb7f2e23-9627-4b9b-ba35-a540267da6bf", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "name": "Lauren Parker", "contact_information": "lparker@mitre.org" }, { "type": "threat-actor", "id": "threat-actor--8f62c6d8-e29a-4cdd-ac01-ea3781817af4", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "name": "Maia Santos-Deguito", "description": "Manager of Rizal Commercial Banking Corporation's (R.C.B.C.) Jupiter branch; opened accounts for Wong's associates - accounts used to receive money during attack ($81M); moved $81M into 5 different accounts", "threat_actor_types": [ "criminal" ], "roles": [ "agent" ], "resource_level": "team", "primary_motivation": "personal-gain" }, { "type": "threat-actor", "id": "threat-actor--5ca725de-6057-4c05-af7f-cf5ed0bb2b58", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "name": "Kam Sin (Kim) Wong", "description": "ran \"casino junkets\" in Manila and Northern Luzon; introduced Filipino associates to Jupiter branch", "threat_actor_types": [ "crime-syndicate" ], "roles": [ "director" ], "resource_level": "team", "primary_motivation": "personal-gain" }, { "type": "threat-actor", "id": "threat-actor--3aaf17e7-eec7-433f-8a48-d104c116d6a3", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "name": "Michael and Salud Bautista", "description": "Recived money from Santos-Deguito into their remittance firm (PhilRem); moved about $61M to Wong, Bautistas, and an associate of Wong; laundered money through different casinos", "threat_actor_types": [ "crime-syndicate" ], "roles": [ "agent" ], "resource_level": "team", "primary_motivation": "personal-gain" }, { "type": "attack-action", "id": "attack-action--d958677e-8790-4ad2-8b04-8d71489f7ac2", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Spearphishing Attachment", "description": "Suspected that phishing emails were sent to employees at Bangladesh Bank which dropped malware.", "effect_refs": [ "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049" ] }, { "type": "attack-action", "id": "attack-action--d6d5a619-e4ca-4e52-ac42-7b27c389d27d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Exploit Public-Facing Application", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1190", "technique_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "description": "Suspected that attackers gained access by exploiting weakness in a new electronic payment system (real time gross settlement).", "effect_refs": [ "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049" ] }, { "type": "attack-operator", "id": "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "OR", "effect_refs": [ "attack-condition--5d98ea86-4b21-4791-8328-cfe6c2906456" ] }, { "type": "attack-condition", "id": "attack-condition--5d98ea86-4b21-4791-8328-cfe6c2906456", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Users interacted with phishing emails" }, { "type": "attack-action", "id": "attack-action--8d1cbde9-c24f-4d33-b9a6-a8b48edcf7bb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Valid Accounts", "tactic_id": "TA0001", "tactic_ref": "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "technique_id": "T1078", "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "description": "Credentials stolen for SWIFT operator at Bangladesh Bank.", "effect_refs": [ "attack-action--dd27481f-2aee-41f3-b7f9-19dcc8212c16" ] }, { "type": "attack-action", "id": "attack-action--dd27481f-2aee-41f3-b7f9-19dcc8212c16", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Ingress Tool Transfer", "tactic_id": "TA0011", "tactic_ref": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813", "technique_id": "T1105", "technique_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "description": "Attackers installed 6 types of malware", "effect_refs": [ "attack-condition--69eb22f3-2858-48a0-97b9-b64231821ddb" ] }, { "type": "attack-condition", "id": "attack-condition--69eb22f3-2858-48a0-97b9-b64231821ddb", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers tested malware (including monitoring software on the SWIFT software and deleted database files) and logged successfully into the system several times" }, { "type": "attack-action", "id": "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Fraudulent payment orders", "description": "Attackers sent fraudulent payment orders via SWIFT", "effect_refs": [ "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775" ] }, { "type": "attack-action", "id": "attack-action--3f76a094-718d-44bc-9383-218fda3620d7", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Send money to Philippines account", "description": "Attackers used fake accounts to receive and traffic stolen funds", "effect_refs": [ "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e" ] }, { "type": "attack-condition", "id": "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "description": "Attackers established international accounts to send the money to" }, { "type": "attack-action", "id": "attack-action--a0340333-a246-48d0-b405-a6d09375e706", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Accounts opened illegally", "description": "Philippines allowed attackers to open accounts using fake driving licenses", "effect_refs": [ "attack-action--3f76a094-718d-44bc-9383-218fda3620d7" ] }, { "type": "attack-action", "id": "attack-action--8d46d723-92b3-4abb-b80e-e8fc223d8509", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Send money to individual accounts", "description": "Attackers sent money to individual accounts, rather than institutions", "effect_refs": [ "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e" ] }, { "type": "attack-operator", "id": "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "operator": "AND", "effect_refs": [ "attack-action--61348e67-38c5-4042-8195-5717b1aa2d2b" ] }, { "type": "attack-action", "id": "attack-action--61348e67-38c5-4042-8195-5717b1aa2d2b", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "File Deletion", "description": "Attackers deleted files associated with SWIFT software to prevent employees from seeing the SWIFT messages", "effect_refs": [ "attack-action--90cbb515-964d-4e76-906e-10d25be6c73a" ] }, { "type": "attack-action", "id": "attack-action--90cbb515-964d-4e76-906e-10d25be6c73a", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Disable or Modify Tools", "description": "Attackers used malware to disable printer, which prevented SWIFT acknowledgement messages being printed out for manual review", "effect_refs": [ "attack-action--5a60a193-34ba-455e-99dc-1416ce16352e" ] }, { "type": "attack-action", "id": "attack-action--5a60a193-34ba-455e-99dc-1416ce16352e", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "extensions": { "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { "extension_type": "new-sdo" } }, "name": "Changing Bank Balances", "tactic_id": "TA0005", "tactic_ref": "x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a", "description": "Attackers updated bank balances in the New York Fed account to remove evidence of money being debited" }, { "type": "note", "id": "note--000c7ed4-7142-4019-a601-e79bfe49fbef", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "abstract": "Financial theft", "content": "Attackers sent 34 orders over the next 4 hours, totaling nearly $1B", "object_refs": [ "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69" ] }, { "type": "relationship", "id": "relationship--c8ff9fd9-0a31-47e2-9ec7-c4d867499c5c", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "relationship_type": "related-to", "source_ref": "attack-condition--5d98ea86-4b21-4791-8328-cfe6c2906456", "target_ref": "attack-action--8d1cbde9-c24f-4d33-b9a6-a8b48edcf7bb" }, { "type": "relationship", "id": "relationship--f7206caa-380b-4c43-9d14-4eeb0a52c9a6", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "relationship_type": "related-to", "source_ref": "attack-condition--69eb22f3-2858-48a0-97b9-b64231821ddb", "target_ref": "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69" }, { "type": "relationship", "id": "relationship--272da5db-6b75-4ee7-afd4-a3759bb82987", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "relationship_type": "related-to", "source_ref": "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775", "target_ref": "attack-action--3f76a094-718d-44bc-9383-218fda3620d7" }, { "type": "relationship", "id": "relationship--121a53e0-19a6-401a-9b0e-0851cf42c91d", "spec_version": "2.1", "created": "2026-06-11T23:57:51.677Z", "modified": "2026-06-11T23:57:51.677Z", "relationship_type": "related-to", "source_ref": "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775", "target_ref": "attack-action--8d46d723-92b3-4abb-b80e-e8fc223d8509" } ] }