In February 2016, hackers broke into Bangladesh’s central bank and were able to steal $81 million from the bank. The ‘breaking in’ was not done physically, instead they broke into the bank’s computer systems due to improper security controls in place. The hackers used a malware that allowed them to hack into the bank’s SWIFT software to transfer money, as well as hide their tracks.
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication and is a consortium that operates a trusted and closed computer network for communication between member banks around the world. The consortium, which dates back to the 1970s, is based in Belgium and is overseen by the National Bank of Belgium and a committee composed of representatives from the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks. The SWIFT platform has some 11,000 users and processes about 25 million communications a day, most of them being money transfer transactions. Financial institutions and brokerage houses that use SWIFT have codes that identify each institution as well as credentials that authenticate and verify transactions. The SWIFT message contains instructions through these standardised system of codes.
Now that we know what SWIFT messages are, let’s have a look at the sequence of events that took place leading to this heist and also discuss the learnings from this event.
In January, weeks before the heist, the hackers obtained the computer credentials of a SWIFT operator at Bangladesh Bank by installing a malware on the bank’s systems. The hackers did a series of test runs, logging into the system briefly several times between Jan 24 and Feb 2. One day they left monitoring software running on the bank’s SWIFT system; on another they deleted files from a database. All this to make sure they have the necessary control over the systems.
During the late evening of Feb 4, when most of the bank’s employees were off work, the hackers initiated 35 fraudulent payment orders via SWIFT worth $951 million from the Bangladesh Bank’s account with the Federal Reserve Bank of New York to transfer funds. Out of these 35 requests, 30 requests worth $851 million were flagged for review by the Fed while 5 requests were granted; $20 million to Sri Lanka and $81 million to Philippines. These successful transactions were then forwarded to the correspondent banks to be later transferred to the destination bank accounts. The $20 million transfer to Sri Lanka gained suspicion from Deutsche bank, one of the routing banks, because the hackers misspelled the word “Foundation” as “Fundation” thus putting the transaction at halt until clarifications are received from Bangladesh Bank. The Fed had also sent multiple notifications to the Bangladesh Bank but received no response.
After the requests are sent, the malware checks the SWIFT messaging system on the terminal and deletes any incoming messages or confirmation messages relating to the fraudulent transfers before they are sent to the office printer. Thus cleaning all tracks.
Friday, being a weekend day in Bangladesh, only a handful of staff come into the bank finding an empty printer tray, that would normally contain the SWIFT transaction related messages that are printed automatically. They also find out that the printer is broken, which was not unusual. The boss asks for the printer to be repaired and heads off with his daily routine. At the same time, the $81 million lands in 4 bank accounts in Manila branch of a Philippine bank called RCBC. These accounts were later found to be created with fraudulent IDs. The funds were were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC, consolidated in an account.
The employees of Bangladesh Bank returned to work on Saturday around 9am and tried again to use the printer only to discover the SWIFT software was not starting up while showing an error that said a file NROFF.EXE “is missing or changed”. When they finally got access to the SWIFT messaging system after a series of approvals from senior officials to use other means to access the system and manually print the SWIFT messages, did they realise what had happened. They promptly contacted the New York Fed through phone, emails and fax details available on their official website but there were no response from the office as it was the weekend.
SWIFT remotely fixes the messaging system and now Bangladesh Bank has realised that the money has gone to RCBC in Philippines. They send a SWIFT message to RCBC asking them to STOP the transfers, but it’s a public holiday in the Philippines on 8th Feb due to the Chinese New year and the message was received by them only a day later.
The SWIFT message sent to RCBC asking them to STOP the transfers was sent as normal SWIFT message and not as a CANCEL message. Due to this they are added to a pile of other routine messages at the RCBC headquarters and sent to the RCBC branch containing the accounts. By the time the branch gets to the message, the money in the accounts is already transferred to other accounts with most of it ending up into 4 Philippine casinos.
Casinos in Philippines are not covered by anti-money laundering laws, which means there are gaps in record-keeping around where money goes once a casino obtains it.
To this day the entirety of $81 million has not been recovered and there are multiple investigations going on at Bangladesh Bank, Philippine’s Anti money Laundering Council and the US Fed.
- Carefully designed heist by the hackers. The 4 bank accounts in RCBC bank used to transfer the money were created in May 2015 months ago with fake IDs and were laying cold with just $500 in them for months until the attack. The hackers also planned around the fact that Friday would be a weekend at Bangladesh and Monday would be a holiday in Philippines, not allowing all parties to be available at the same time.
- Delay at Bangladesh Bank. Had they proactively worked towards finding out why the SWIFT acknowledgement messages were not printed on Friday, they could have found out about the heist and contacted the New York Fed who’d have responded on Friday instead of the off-duty hours on Saturday.
- No 24*7 support by Federal Reserve Bank of New York for such emergencies and dependency on the the automated system that mostly reviews just the format of the SWIFT messages and flags suspicious messages to be manually reviewed.
- Weak Anti Money Laundering laws in Philippines which led the money to be vanished in the Casino system where they can keep customer and account details private without proper record keeping.
- Lack of proper software security controls in place at the Bangladesh bank was one of the major reasons this hack was successful and I’d like to discuss more on this.
The Bangladesh bank had not protected its computer systems with a firewall, and it had used second-hand $10 electronic switches to network computers linked to the SWIFT global payment system. Hackers may have exploited such weaknesses after Bangladesh Bank connected a new electronic payment system, known as real time gross settlement (RTGS) in November the previous year. One of the reports also said that the malware might have installed when one of the employees accessed their mailbox on the same network as the SWIFT system and opened a contaminated email which could have been easily prevented with a proper firewall in place.
“Banks should conduct SWIFT transactions only on computers that are isolated from other devices on their networks”, says Sean Sullivan, an adviser at the security firm F-Secure. “It should be a dedicated computer for its single task”, Sullivan says. Despite Swift’s warnings, the bank had not segregated its Swift server from the rest of the computer network. In addition to all this, the bank had not updated the SWIFT systems to the latest version of the softwares that had the latest security patches included.
Without these processes in place, the hackers were already in the Bank’s network and with enough access to override any local security settings and hiding in plain sight for months gaining an understanding of banks business operations and collecting user credentials and other information to get into the Swift server. This helped the hackers to turn one of Swift’s defining features — its global reach — into a vulnerability.
In a statement provided to Information Security Media Group, SWIFT notes that it is aware of the risks and was taking steps to help banks shore up security.
“We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security,” the statement says. “We have developed a facility to assist customers in enhancing their security and to spot inconsistencies in their local database records.”
“However, the key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats. Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”
All the folks working in a software development related role have come across the dilemma of having to prioritise between features focused on enhancing security controls in applications/products that are currently LIVE or delivering features that would result in additional functionality. There is also the technical debt backlog that we accrue because of multiple reasons such as lack of time or understanding. These technical debts might sometimes lead to security loopholes in our system that would make it easier for someone with malicious intent to break into our systems and cause damages.
More often than not, teams put off paying-off this technical debt or making sure proper security controls or practices are in place to have a fool-proof system that is unbreakable or is easy to recover before it is too late. Bangladesh bank made the mistake of not having proper firewall and other network security features in place that would have isolated and protected the SWIFT server, hindering the hackers’ actions to get into the network using the malware and would have saved millions for them which was lost in a matter of hours.
The New York Fed has now set up a 24-hour hotline for emergency calls from some 250 account holders, mostly central banks, around the world. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. The case threatened to reinstate the Philippines to the Financial Action Task Force on Money Laundering blacklist of countries that made insufficient efforts against money laundering. The Bangladesh Bank continued its efforts to retrieve the stolen money and had only recovered about $15 million, mostly from a gaming junket operator based in Metro Manila. In February 2019, the Federal Reserve pledged it would help Bangladesh Bank recover the money and SWIFT has also decided to help the central bank rebuild its infrastructure.
This case was an interesting research for me and I have written this blog post based on multiple articles that I have read online. I may have gotten certain details wrong as I am not an expert, please reach out to me in this case.
I have written this post to highlight how important software security practices are and how a minor oversight of these security controls could lead to individuals causing disruption remotely even with trusted systems in place like SWIFT that is used worldwide for huge amounts of money transfers.
I hope you enjoyed reading this post.