That Insane, $81M Bangladesh Bank Heist?

Here's What We Know

(Source: https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/)

W H E N R E P O R T S S U R F A C E D in February of a spectacular bank hack that sucked $81 million from

accounts at Bangladesh Bank in just hours, news headlines snickered over a typo that prevented the hackers
from stealing the full $1 billion they were after.
Last week the snickering stopped with new reports that the hackers struck a second bank, and possibly
others—though authorities won't say if those heists were equally successful. Bank hacks have traditionally
focused on stealing the login credentials of bank account holders—either individuals or small businesses.
Billions have been stolen successfully in this way. But the hacks in this case targeted the banks themselves
and focused on subverting their SWIFT accounts, the international money transfer system that banks use to
move billions of dollars daily between themselves.

What is SWIFT?
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication and is a consortium
that operates a trusted and closed computer network for communication between member banks around the
world. The consortium, which dates back to the 1970s, is based in Belgium and is overseen by the National
Bank of Belgium and a committee composed of representatives from the US Federal Reserve, the Bank of
England, the European Central Bank, the Bank of Japan and other major banks. The SWIFT platform has
some 11,000 users and processes about 25 million communications a day, most of them money transfer
transactions. Financial institutions and brokerage houses that use SWIFT have codes that identify each
institution as well as credentials that authenticate and verify transactions.

What Happened?
On February 4, unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send
more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking
the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka
and other parts of Asia.
The hackers managed to get $81 million sent to Rizal Commercial Banking Corporation in the Philippines
via four different transfer requests and an additional $20 million sent to Pan Asia Banking in a single
request. But the Bangladesh Bank managed to halt $850 million in other transactions. The $81 million was
deposited into four accounts at a Rizal branch in Manila on Feb. 4. These accounts had all been opened a
year earlier in May 2015, but had been inactive with just $500 sitting in them until the stolen funds arrived
in February this year, according to Reuters.

A printer "error" helped Bangladesh Bank discover the heist. The bank's SWIFT system is configured to
automatically print out a record each time a money transfer request goes through. The printer works 24
hours so that when workers arrive each morning, they check the tray for transfers that got confirmed
overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty.
When bank workers tried to print the reports manually, they couldn't. The software on the terminal that
connects to the SWIFT network indicated that a critical system file was missing or had been altered.

When they finally got the software working the next day and were able to restart the printer, dozens of
suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank
questioning dozens of the transfer orders, but no one in Bangladesh had responded. Panic ensued as workers
in Bangladesh scrambled to determine if any of the money transfers had gone through—their own records
system showed that nothing had been debited to their account yet—and halt any orders that were still
pending. They contacted SWIFT and New York Fed, but the attackers had timed their heist well; because it
was the weekend in New York, no one there responded. It wasn't until Monday that bank workers in
Bangladesh finally learned that four of the transactions had gone through amounting to $101 million.
Bangladesh Bank managed to get Pan Asia Banking to cancel the $20 million that it had already received
and reroute that money back to Bangladesh Bank's New York Fed account. But the $81 million that went to
Rizal Bank in the Philippines was gone. It had already been credited to multiple accounts—reportedly
belonging to casinos in the Philippines—and all but $68,000 of it was withdrawn on February 5 and 9 before
further withdrawals were halted. The manager of the Rizal Bank branch has been questioned about why she
allowed the money to be withdrawn on the 9th, even after receiving a request that day from Bangladesh
Bank to halt the money.
The hackers might have stolen much more if not for a typo in one of the money transfer requests that caught
the eye of the Federal Reserve Bank in New York. The hackers apparently had indicated that at least one of
the transfers should go to the Shalika Foundation, but they misspelled “foundation” as “fandation."

How Many Banks Were Hit?

At least two, possibly more. SWIFT sent out an alert to members last week indicating that a second bank in
Asia had been targeted in a similar attack and that a "small number of recent cases of fraud" had occurred at
customer firms. The alert did not identify the second bank in Asia, but Tien Phong Bank in Vietnam told
Reuters over the weekend that in the fourth quarter of last year it encountered and stopped a similar SWIFT
hack—amounting to about $1.1 million—before any funds could be taken.
A SWIFT spokesman told the Wall Street Journal that a "few" other incidents had occurred, but didn't
elaborate on whether there were successful heists at other banks or simply other attempts.

Did the Attackers Compromise SWIFT?

Not directly. According to SWIFT, they obtained valid credentials the banks use to conduct money transfers
over SWIFT and then used those credentials to initiate money transactions as if they were legitimate bank
employees. How they got the credentials is unclear. News reports have indicated that insiders might have
cooperated and provided the credentials to the hackers. Other reports indicate that lax computer security
practices at Bangladesh Bank were to blame: the bank reportedly didn't have firewalls installed on its
networks, raising the possibility that hackers may have breached the network and found the credentials
stored on the system.

How Did the Hackers Cover Their Tracks?

They installed malware on the bank's network to prevent workers from discovering the fraudulent
transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to
automatically print SWIFT transactions. The hackers installed it on the bank's system some time in January,
not long before they initiated the bogus money transfers on February 4.
In the case of the bank in Vietnam, the custom malware targeted a PDF reader the bank used to record
SWIFT money transfers. The malware apparently manipulated the PDF reports to remove any trace of the
fraudulent transactions from them, according to SWIFT and the New York Times.

Who's to Blame?
Aside from the hackers themselves? Bangladesh Bank blames the Federal Reserve Bank of New York for
allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New
York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never
got a response. Authorities at the Reserve Bank said that workers followed the correct procedures in
approving the five money transfers that went through and blocking 30 others.
Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the
ones it deemed suspicious.