On February 4, 2016, perpetrators attempted to steal nearly $1 billion from the Bangladesh central bank’s account with the Federal Reserve Bank of New York. The perpetrators managed to compromise Bangladesh Bank’s system, observe how transfers are done, and gain access to the bank’s credentials for payment transfers, which they used to send about three dozen big-money transfer messages over Swift to the Federal Reserve Bank when Bangladesh Bank’s offices were closed. These messages requested to transfer $20 million to Sri Lanka, $81 million to the Philippines and a further $850 million to 30 other destinations. It was clear that the perpetrators, attributed to North Korea, wanted to launder the funds of nearly $1 billion as gambling proceeds of casinos.
Where are the funds now?
The $81 million that entered the Philippine banking system was credited to beneficiary accounts with Rizal Commercial Banking Corporation and eventually withdrawn. The Philippine anti-money laundering agency found that Rizal’s branch manager Maia Deguito allowed the opening of at least four fictitious accounts that received the $81 million, and allowed the sum to be withdrawn on February 5 and February 9 despite requests from the Bangladesh central bank to halt the transactions. Maia Deguito was found guilty by court and was ordered to pay $109 million in penalties.
The $20 million transfer to Sri Lanka was intended by the perpetrators to be sent to the Shalika Foundation, a Sri Lanka-based non profit organization. Pan Asia Bank based in Sri Lanka initially took notice of the transaction and deemed the transaction as too big for a country like Sri Lanka. Pan Asia Bank thus rerouted the transaction to Deutsche Bank. The perpetrators, however, had misspelled “foundation” in their request to transfer the funds, spelling the word as “fandation”. Since Shalika Fandation was not found in the list of registered Sri Lankan non-profit organizations, the spelling error gained suspicion from Deutsche Bank. After seeking clarifications from Bangladesh Bank, they put a halt to the transaction in question. The $20 million have been recovered by Bangladesh Bank.
Regarding the other 30 transactions, it was a printer error that tipped off Bangladesh’s central bank. Zubair Bin Huda, a joint director of Bangladesh Bank, found the printer tray empty when he looked on the morning of February 5 for confirmations of Swift financial transactions that are normally printed automatically overnight. He then tried and failed to print out the messages manually from the Swift system, the first step needed to start an official investigation. “We thought it was a common problem just like any other day,” Huda said in his complaint at the policy. Because it was a Friday – a weekend in Muslim-majority Bangladesh – Huda left the office around noon and asked colleagues to help fix the problem. It took them more than 24 hours before they could manually print the receipts, which revealed dozens of questionable transactions that were sent by the central bank via Swift. The bank subsequently requested the Federal Reserve Bank to block those transactions. These transactions amounting to $850 million were successfully stopped before they were executed.
Note that Bangladesh is, according to the International Monetary Fund, the 139th of 185 nations in terms of per capita economic output. Even though Bangladesh has a bigger population than Russia, its international reserves are $27 billion of which $1 billion were the target of this hack.
What went wrong?
Initially, Bangladesh Bank was uncertain if its system had been compromised. Governor of the central bank engaged World Informatix Cyber Security to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the leading forensic investigation company FireEye Mandiant for the investigation. These cyber security experts found “footprints” and malware of hackers which suggested that the system had indeed been breached. The investigators also said that the hackers were based outside Bangladesh. The forensic investigation found out that malware was installed within the bank’s system sometime in January 2016, which gathered information on the bank’s operational procedures for international payments and fund transfers.
The hackers gained access to Bangladesh Bank’s local network, which wasn’t too hard since the bank was using secondhand $10 switches. They found that the Swift Alliance Access systems were on that network, not separated from it by any kind of firewall. They then ran a program designed to cheat Swift Alliance software, which interacts with the Oracle-built database in which transaction data is stored. The malware searched Swift messages to extract addresses and transfer references. As the hackers generated and sent money transfer messages based on that data, they also manipulated Swift Alliance Access to allow these transactions, so they looked as if they had been properly checked by the system. This way, the Swift messages looked perfectly legit at Federal Reserve Bank. The hackers also knew that all Swift messages are automatically sent to be printed, and they used a bit of malware to cheat the printers so they only spewed out evidence of genuine transactions and not theirs.
The tool was custom made for this job, and shows a significant level of knowledge of Swift Alliance software as well as good malware coding skills. Apparently, they knew Bangladesh Bank pretty well, too: The printer-cheating software was specifically written for a particular model of HP printer used at the bank. They also must have been knowledgeable about international banking regulations and loopholes in countries financial systems, such as the one that allowed them to launder the loot as gambling proceeds in the Philippines. And they may have subverted a number of bank employees, either through whaling, bribery and/or blackmailing.
In September 2018, the U.S. charged a North Korean computer programmer with hacking the Bangladesh Bank. The same programmer has also been charged in connection with the WannaCry 2.0 virus and the 2014 Sony Pictures attack.
The U.S. Cybersecurity and Infrastructure Security Agency further attributed the hack to BeagleBoyz (see their report here), which is an element of North Korea’s Reconnaissance General Bureau and is dedicated to robbing banks through the internet. BeagleBoyz is also held responsbile for the FASTCash ATM cash outs in October 2018 and numerous lucrative cryptocurrency thefts. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, APT38, Bluenoroff, and Stardust Chollima. As opposed to typical cybercrime, the BeagleBoyz conducts well-planned, disciplined, and methodical cyber operations. Their malicious cyber operations have netted several $100M and are a major source of funding for the North Korean regime.
Note that Bangladesh is the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab which runs in real time.
Lessons Learned
Since then, Swift advised banks using Swift Alliance Access system to strengthen their cyber security posture and ensure they are following Swift security guidelines. But what should be done in general?
The FBI reported they found evidence pointing to bank employees acting as an accomplice. It is known that the BeagleBoyz use a variety of techniques, such as spearphishing and watering holes, to enable initial access and to conduct reconnaissance. There was a general lack of dual control related to large transactions at the Bank of Bangladesh and some of the aforementioned banks and social engineering exploits that type of vulnerability.
From a cybersecurity point of view, however, there is still a belief in infrastructure level security and that PC’s, printers and servers inside the bank can always be trusted. You must, however, not only implement dual control for entering banking transactions; you also must enforce dual control and two-factor authentication for installing software, for installing patches, for configuring systems and for connecting system to bank applications. Weak access control for IT configurations and installations is by far the #1 vulnerability that opens the way for hackers.
Controlled AI services 