Bangladesh’s central bank governor Atiur Rahman resigned this week (March 16) after one of the biggest cyber heists in history was inflicted upon his bank.
Unidentified hackers used Swift, the financial messaging system, technology to steal US$81mn from Bangladesh’s account at the Federal Reserve Bank of New York. The money is thought to have been transferred to accounts in Sri Lanka and the Philippines.
Rahman only learned of the theft through Filipino news reports. In offering his resignation, he said: “Such cyberattacks are happening across the world”, according to news accounts from Bangladesh. “We are new in facing such attacks. We lack experience.”
However, it now appears that the bank got off lightly. The thieves tried to move another US$850mn out of the account but an alert was triggered by Deutsche Bank, a routing bank, when they misspelled the word “foundation” as “fandation”.
GTR spoke to cyber security experts Dr Duncan Wong and Scottie Tse of the Hong Kong Applied Science and Technology Research Institute (Astri) to discuss how this attack came about and how vulnerable banks in trade are to similar attacks.
GTR: How do you think this was allowed to happen?
There were probably some computers inside the bank compromised by malware. Because of that infection, the hackers can learn how to do fund transfers from compromised computers in the central bank. They’ve been learning not just the credentials but the process.
It’s a series of procedures in addition to the passwords and security measures, through the malware. It could be spying software or Trojan Horses. We are pretty certain that after getting the credentials and learning the procedures, they can go through the fund transfer procedures themselves through the compromised computers during office hours, remotely through the Federal Reserve Bank in New York. They don’t have to hack any external bank. They can operate multiple transfers.
With anti-money laundering (AML) software, usually they beat this by making small transfers but making lots of them. By doing this they’re not triggering an alert from the AML. It seems like it would have been done over a period of time. We’re not sure yet, but it wouldn’t be just one day as that would also set the trigger. We think it was carried out for a long time – perhaps over a couple of weeks.
The second step is that they need a lot of fraudulent accounts in the Philippines and Sri Lanka to send the money to. Because they were able to create those accounts, it could mean that there are also security issues there. They opened a bunch of accounts and transferred money out of the Fed into these fraudulent accounts. Then they can physically withdraw the money.
In order to be detected the authorities needed to know about the criminal activity, which would allow them to freeze the accounts.
GTR: How likely is this to happen in a city with advanced financial security, such as Hong Kong?
Based on our knowledge, they would not be able to replicate it in Hong Kong. The criminals need to persuade the banks to use malware, or launch a phishing attack. After that, the attacker has to monitor and learn the practices. In Hong Kong it’s not a very high risk, they have a lot of security measures.
But even if these security measures are in place, it only makes sense if people carry out policy and if staff follow it diligently. We’re not sure how diligent they were in Bangladesh.
GTR: Can the central bank get the money back?
Some of it has already been recovered. But in order to get the money back it has to be still in the fraudulent account. They’ve already been frozen, but if it’s been withdrawn then it would be very difficult.
GTR: Could this kind of thing happen in a commercial trade finance bank?
There are two things to remember: the security system may be in place, but everybody has to follow procedure and it must be monitored. If not, then this could happen to any bank in the world. It’s not just limited to central banks.
We need an industry-wide effort. We’re already working with the Hong Kong Police and the banks here in setting up a cyber-intelligence sharing system. We hope in the near future to be able to share intelligence cross-border, with Mainland China or Singapore, for example. Everywhere is doing something, but we need to be sharing internationally.
GTR: How do you get the intelligence?
If we can see that the PC was infected by malware, if phishing is already targeting Bangladeshi banks, then there’s an alarm bell.
A lot of this information is shared on the Dark Web and collaborated on and stored in silos. There should be more cyber intelligence sharing cross-border to stop this kind of thing. We can lift information from the Dark Web and share this with banks and governments.
On the Dark Web hackers may publish a new version of malware, or post a query on a bank’s credentials. They may trade credentials on the Dark Web, or ask for customer information. Searches on the Dark Web can be the starting point for attackers. It can be flagged up and reported to the targeted companies or banks.