by Lady Michelle Jennifer Santos
27 April 2016 (TSR) – One of the largest and well planned cyber and bank heists was committed and subsequently disclosed. An unknown attacker gained access to the Bangladesh Central Bank’s (BB) SWIFT payment system and reportedly instructed their account at New York Federal Reserve to transfer nearly a billion US dollars from BB’s account to accounts in The Philippines and diverted to casinos there. Most of those funds remain missing.
The attackers attempted to steal $951m, of which $81m is still unaccounted for.
Bangladeshi police investigators told Reuters that the bank lacked any firewalls and was using second-hand $10 switches on its network. These switches did not allow for the regular LAN to be segmented or otherwise isolated from the SWIFT systems. The lack of network security infrastructure has hindered the investigation. It’s still not known how the hackers penetrated the network, but it looks like the bank didn’t make it difficult for them to do so.
Many pieces of the puzzle are still missing though: how the attackers sent the fraudulent transfers; how the malware was implanted; and crucially, who was behind this.
This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim.
The technical details of the attack have yet to be made public, which happened in February 2016, however BAE Systems have recently identified tools uploaded to online malware repositories that they believe are linked to the heist according to their analysis.
The bespoke malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.
This custom malware was written for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again.
The cyberhack appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place, BAE System analysts said.
BAE Systems believe all files were created by the same actor(s), but the main focus of the report will be on
525a8e3ae4e3df8c9c61f2a49e38541d196e9228 as this is the component that contains logic for interacting with the SWIFT software.
The malware registers itself as a service and operates within an environment running SWIFT’s Alliance software suite, powered by an Oracle Database.
The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future, the report added.
The main purpose of the malware is to inspect SWIFT messages for strings defined in the configuration file. From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts.
This functionality runs in a loop until 6am on 6th February 2016. This is significant given the transfers are believed to have occurred in the two days prior to this date. The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills.
Getting the money out is also difficult. It is being laundered through the Philippines, and that laundering is currently being investigated by the Philippine senate. The $81 million that was successfully stolen was sent to the Philippines to accounts at the Rizal Commercial Banking Corp (RCBC) held by two Chinese nationals who organize gambling junkets in Macau and the Philippines. The money was moved to several Philippine casinos and then subsequently to international bank accounts. Philippine casinos are exempted of anti-money laundering law that requires them to report suspicious transactions, making them an attractive target for this kind of crime.
The Treasurer of RCBC has resigned, and the manager of one of its branches is facing criminal charges after she withdrew $427,000 from an account linked to the theft. The Governor of the Bangladesh Bank, Atiur Rahman, also resigned in March over the heist.
SWIFT, the global financial network that banks use to transfer billions of dollars every day, warned its customers on Monday that it was aware of “a number of recent cyber incidents” where attackers had sent fraudulent messages over its system.
SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is a cooperative owned by 3,000 financial institutions and operates a network for sending financial transactions between financial institutions. Institutions using the network must have existing banking relationships; SWIFT transactions do not actually send money but instead send payment orders that must then be settled by having the institutions involved moving money between accounts.
SWIFT’s security stems from two major sources. Notionally, it’s a private network, and most banks set up their accounts such that only certain transactions between particular parties are permitted. The network privacy means that it should be hard for someone outside a bank to attack the network, but if a hacker breaks into a bank—as was the case here—then that protection evaporates. The Bangladesh central bank has all the necessary SWIFT software and authorized access to the SWIFT network. Any hacker running code within the Bangladesh bank also has access to the software and network.
If an organization can’t keep its endpoint secure, it leaves itself very vulnerable to being electronically robbed.
Monday’s statement from SWIFT marked the first acknowledgement that the Bangladesh Bank attack was not an isolated incident but one of several recent criminal schemes that aimed to take advantage of the global messaging platform used by some 11,000 financial institutions, Reuters reported.
BAE Systems have strongly advised that all financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.
The wider lesson learned here may be that criminals are conducting more and more sophisticated attacks against victim organisations, particularly in the area of network intrusions (which has traditionally been the domain of the ‘APT’ actor). As the threat evolves, businesses and other network owners need to ensure they are prepared to keep up with the evolving challenge of securing critical systems, BAE Systems said.
SWIFT told customers that the security update must be installed by May 12.