The Bangladesh Bank Heist
By - Nikhil Samuel Arthur and Ira Mahajan
On 4th February 2016, hackers infiltrated the cyber-systems of the Bank of Bangladesh, pulling off a sophisticated cyber-heist (F-Secure), and stealing 81 million USD. In an attack that lasted close to 5 days, the hackers instructed the Federal Reserve Bank of New York (“Fed Reserve”) to transfer close to a billion dollars out of the Bank of Bangladesh’s VOSTRO account to account in Sri Lanka and the Philippines. (Kehrli) This instance of infiltration of a bank’s digital eco-system is particularly interesting in light of (1) the consequent compromise of the Society for Worldwide Interbank Financial Tele-communications (“SWIFT”) network1; (2) the scale of the heist and (3) the exploitation of manual gaps caused through planning around bank holidays across countries. It is estimated that this resulted in close to 167,210,000USD being collectively stolen from banks around the world. The following essay analyses the motivations and circumstances of the heist, and studies missing technical and operational controls. It concludes with key insights on strengthening a cybersecurity framework that the attack sheds light on.
Figure 1: Overview of the Bangladesh Attack (Source: F-Secure.com)
The Heist On 4th February 2016, once the Bangladesh bank closed for the day, credentials that were stolen prior to this day were used to access the Bank’s SWIFT system. This led to targeting a specific module to execute database transactions sending 35 payment requests to the Fed Reserve, requesting transfers from the Bank’s accounts to fake accounts. This was done through a worm that tampered with genuine messages issued, changing the amount and recipient. Of these, 5 were cleared - 4 to the Rizal Commercial Banking Corporation (RCBC) in the Philippines and 1 to the Pan Asia Bank in Sri Lanka. (Hill) The hackers displayed technical mastery, using a custom work to hack the SWIFT bridge by the bank to capture these credentials. (Kehrli)
Of the 5 successful attempts, only the payment to the Sri Lankan bank account got flagged due to a spelling error in the account holder’s name. The request misspelled “Foundation” as “Fandation.”
The Fed Reserve also sent clarification requests for all 30 unsuccessful attempts. However, these messages were sent on the 5th of February, a Friday, which is a weekly holiday in Bangladesh, due to the religious beliefs of the Muslim majority in the country. The Bank of Bangladesh, therefore, was not staffed and therefore the messages were not seen.
The hackers gained access to the bank’s computers either through a phishing malware email sent to an employee or through an intentional compromising of the systems by an employee. (Hill) Once the malware was installed, it deployed the Microsoft software to record credentials and study the bank’s activities. (Aljazeera)
Figure 2: Timeline of the Attack [Source: (Kehrli)]
The Exit Strategy
The SWIFT systems of the Banks had been infected with malware that removed integrity checks, blocking all incoming messages from the Fed Reserve, and covering its tracks. To the employees in Bangladesh, where the confirmation and reconciliation processes are handled manually, it seemed mere as if the printer was not working and thus the payment orders were not being printed. This prevented further probing. (Tribune)
By the time someone attempted to fix the printer and recognized the error in the SWIFT system, considerable time had passed. The Bangladeshi bank attempted to email the Fed Reserve, however, as it was a Saturday in New York, their emails were not seen. This allowed the hackers to transfer money out of the RCBC accounts, and launder them at various casinos in the Philippines. (Tribune)
By Monday, all systems were up and running again in Bangladesh and New York, with over 100 messages being sent from Bangladesh to the Philippines to halt the transfers. However, owing to the Chinese New Year, the RCBC was closed. By the time the Philippines was working again, the money was gone and untraceable. (Aljazeera)
The Motivation Anonymity and the ability to carry out the attack from a remote location via the internet is an enormous motivator for such attacks. Once malware is installed into the target system, it covers its tracks, making it near impossible to find evidence of the virus. This reduced potential to be caught, and the high pay-out serve as strong motivators. Further, the SWIFT messaging system allows multiple banks and transfers to collaborate on a single transaction, taking place within seconds, and often irreversible. These quicker, non-reversible transactions further incentivize hackers. (Kitten) II. Weaknesses in the Digital Ecosphere
The following technical and operational controls were missing on the Bangladesh Bank end, thus resulting in a compromise of the system.
A. Technical Controls
The computer that conducts SWIFT transactions was accessible and not isolated from other devices on the network. This, coupled with the non-segmentation of the network, allowed the hackers to move from employee systems to the computer that was connected via SWIFT. (F-Secure)
The network lacked firewalls, thus leaving its endpoint to the SWIFT system vulnerable. (F-Secure)
There was also inadequate monitoring of the system: allowing the malware to get installed and then allow increasing access to the system to carry out the attack and cover it up. Access to privileged credentials was not secured or rotated. (CyberArk)
Multi-factor authentication was missing on most systems. (CyberArk)
B. Operational Controls
The timeline below highlights the continued delays in response owing to various bank holidays in Bangladesh, New York, and the Philippines. This was due to the communication between the banks not being escalated quickly and to the appropriate authorities. Had the banks had a stronger communications network, they could have notified each other in a timely manner without having to rely on emails and the SWIFT system alone.
Figure 3: Timeline of the Attack (Source: F-Secure.com)
2. The reliance on a printer on Bangladesh’s end to confirm and reconcile messages from the SWIFT software is extremely dangerous. This left open the possibility of delays between confirmation messages allowing suspicious transactions to go through, and allow for misrepresentation of system concerns with simple hardware problems.
3. Employees were not trained to not open unsolicited and suspicious emails. This provided an entry point for the phishing attack.
III. Takeaways & Conclusion
Various parallels can be drawn between this case, and the case of Target, in which credit card details of multiple consumers were stolen by cyber hackers and sold on the dark web. (Radichel) In this attack, the hackers studied the functioning of the company, whom they worked with, and the software put in place by the company for their running. All of this data was freely available in detail on a simple google search. Post this, the hackers learned that target interacted with many vendors which had access to the target's systems. The hackers deployed a malware email that was programmed to steal password credentials and sent it to a refrigeration vendor that targets interacted with. On gaining the credentials they accessed target systems and further broke into their network finally accessing data on the Point of Sale (POS) systems, accessing all the credit card and private data of their customers. (Radichel) We see that it only took a single unsecured system to allow hackers to gain access to large networks of sensitive data and controls. Further, both examples highlight the hackers' need for remote access to systems that allow admin privileges, or access to security software. In the Target example, it was the Vendor access, and in this case, it was the computer connecting the Bank and the software. The issues of inadequate monitoring and unsecured admin privileges also appear to be common themes that also need to be effectively addressed.
This heist is an example of the increasing sophistication of cyber-heists, and the corresponding need to enhance cybersecurity. The exploitation of the SWIFT software through vulnerable endpoints has occurred in multiple cyber heists. There needs to be a conscious effort to build security from the ground up, starting from the member institution's own cybersecurity policies and regulations.
Nikhil Samuel Arthur and Ira Mahajan are 5th year BA/BBA LLB students in JGLS.
Kehrli, Jerome. Deciphering the Bangladesh bank heist . 15 November 2017. Weblog Article .
Kitten, Tracy. Bangladesh Bank Heist: Lessons Learned . 25 April 2016. Online Article.
Hill, Julie Anderson. "SWIFT Bank Heists and Article 4A." Journal of Consumer & Commercial Law (2018): 25-30. Article.
Hacked: The Bangladesh Bank Heist . Dir. 101 East Aljazeera. 2018. Documentary News Video.
F-Secure. Threat Analysis. n.d. Online Article.
CyberArk. Threat Analysis: The Bangladesh Bank Heist. 23 March 2017. Youtube Video.
Radichel, Teri. 5 August 2014. SANS Information Reading Room. Document . 22 September 2020.
Tribune, Dhaka. Explainer: How hackers made off with millions from Bangladesh Bank's New York Fed account. 31 August 2016. Youtube Video .