SWIFT, Hackers, Casinos and a Billion Dollar Bank Job 5

SWIFT is increasingly targeting the corporate market as a highl secure and reliable corporate to bank connectivity solution. SWIFT has some clear benefits, but it aint a magic bullet. The incredible cyber theft last month will leave many SWIFT customers (banks and corporates) worried about similar copy-cat type thefts via the super secure SWIFT network. In this post i outline 10 things that we know about the hack, and more importantly some lessons that we can all learn from the cyber heist.

Friday 15th May, 2015 – Fake Accounts Are Opened

• 4 accounts were opened at RCBC Bank in Manila
• The accounts were opened last year, which clearly shows careful and advanced planning
• LESSON:
  • Ensure that you regularly review your active accounts and close any accounts that have not been used for long periods

October, 2015 – Bangladesh Bank SWIFT and IT Systems are merged

• Bangladesh Bank introduces a real-time gross settlement (RTGS) system, and in doing so merges the banks SWIFT and IT operations in a few major cities, including Dhaka
• LESSON:
  • Ensure that any centralisation efforts are completed with security in mind – in the Bangladesh Bank theft, officials have said that the SWIFT system link to RTGS was compromised because a strong firewall had not been installed

Sometime in January, 2016 – Malware is Installled

• It is believed that malware infected up to atleast 32 computers at Bangladesh Bank, using which the hackers were able to steal the credentials of Bangladesh Bank officials in order to access to the SWIFT messaging system
• LESSON
  • Ensure that your internal and external teams know and understand the risks posed by malware
  • Ensure that users sign off all open sessions, applications / terminals and PCs
    • The FT reports suggests that some SWIFT terminals were left logged on and as such authenticated, which increased the chances of hacker success
  • Ensure that individuals within your organisation understands that they maybe ‘monitored’ online via channels such as social media
  • Ensure that administrator access is limited to a few users within your organisation – typically administrator access gives unprecedented access to systems
    • The Daily Star report how the attackers were able to use administrator access to the SWIFT platform

Thursday 4th February, 2016 – Bogus SWIFT Transactions Are Initiated

• Criminals posing as Bangladesh Bank officials initiated 35 fake SWIFT fund transfers (total value: $951 million) from the Bangladesh Bank account at the New York Federal Reserve to accounts in Sri Lanka and the Philippines
• The Federal Reserve did not process 30 of the transfers, they did however process 5 transfers (value: $101 million)
  • 1 to Sri Lanka (value: $20 million)
    • This payment to a Sri Lankan NGO (Shalika Foundation) was blocked because of a spelling mistake in the recipient name (Shalika Fandation)
    • The “Fandation query” by the routing bank (Deutsche Bank) prompted Bangladesh Bank to stop all of the other transactions
  • 4 to the Philippines (value: $81 million) to RCBC Bank

Friday 5th February, 2016 – $81 Million Is Laundered within Philippines Casinos

• Approximately $81 million is deposited into the Philippine accounts and routed, via a personal “William So Go” account and a Philrem (money remittance company) account, to a number of Philippine casino accounts
• LESSON:
  • Make sure you know what transactions are being initiated at YOUR organisation
    • A simple broken printer at the Bangladesh Bank meant that the previous day list of transactions could not be printed and identified right away!
  • Ensure that you know the security procedures at your banks; how would your bank react if suspicious transfers are initiated by your company; what do your banks consider suspicious?
    • During the 4th-9th February, the security cameras at RCBC branch, where the “Go Dollar” account was opened, were out of order
    • Apparently fake documents and signatures were used to open the Philippine accounts

Monday 8th February, 2016 – We Have A Problem…

• Bangladesh Bank notice the discrepancy and issue stop orders to the:
  • US – New York Federal Reserve, Citi, Bank of New York Mellon, Wells Fargo
  • Philippines – RCBC (Manila)
  • Sri Lanka – Pan Asia Banking Corporation
• LESSON:
  • Know your escalation points
    • Actually, Bangladesh Bank recognised the abnormal activity on Saturday 6th February, but could not reach anybody at the Federal Reserve during the US weekend
  • Don’t be complacent during Holidays
    • To complicate things, Monday 8th February (Chinese New Year) was being widely celebrated in the Philippines, which meant that typically high value transactions to casino’s during the holiday season were common and went unnoticed
  • In the event of unusual transactions, understand the criteria your banks use to identify suspicious activity, and how and who they will contact 
    • Focusing on the 4 Philippine accounts, why didn’t the bank verify the sudden activity and validity of the payments on accounts that had been opened in May 2015, yet had no transactions until the 5th February, 2016

Thursday 11th February, 2016 – Bangladesh Bank Asks for Help

• Bangladesh Central Bank requests assistance from the Philippines Central Bank to trace the stolen funds (i.e $81 million)

Monday 29th February, 2016 – Freeze….!

• Philippine Court of Appeal petitioned to freeze the 4 accounts at RCBC Bank that first received the funds – the freeze order was issued on 1st March

Tuesday 15th March, 2016 – You’re Fired..!

• Bangladesh Bank Governor resigns and two of his deputies are fired
• LESSON:
  • As leaders and controllers you need to enforce and ensure appropriate controls within YOUR organisation

A Catalogue of Errors:

• LESSON:
  • YOU are responsible for breaches at YOUR organisation, and must understand the risks and introduce appropriate mitigating controls and procedures 
    • In this example, the New York Federal Reserve and SWIFT both executed seemingly legitimate instructions that had been sent to them, and confirmed that their respective systems had not been compromised
    • FireEye (information technology firm investigating the Bangladesh Bank heist) statistics show that such attacks are more prevalent in Asia
  • SWIFT maybe be very secure, but are ALL of YOUR “upstream” processes that lead up to the SWIFT transfer secure…?
  • According to Reuters, the bank job has prompted SWIFT to begin calling on banks to review their internal security procedures

The investigation continues……

Sources:

• The Daily Star – Sophisticated tools used for hacking
• FT – How cyber criminals targeted almost $1bn in Bangladesh Bank heist
• Bloomberg – Printer Error Triggered Bangladesh Race to Halt Cyber Heist
• WSJ – Hackers Lurked in Bangladesh Central Bank’s Servers for Weeks
• Reuters – Exclusive: SWIFT to advise banks on security as Bangladesh hack details emerge
• Fortune – SWIFT to Advise Banks on Security as Bangladesh Hack Details Emerge
• MarketWatch – Bangladesh central bank may left door open to hack
• EasySolutions – Multiple Banks Hit with SWIFT Attacks Like One That Hit Bangladesh Central Bank
• Recorded Future – Neighborhood Watch: Identifying Early Indicators of the Central Bank of Bangladesh Heist
• NBC News – Bangladesh Bank Might Sue NY Fed After $1B Hack-Heist
• The Hacker News – Here’s How Hackers Stole $80 million from Bangladesh Bank
• The Hackers News – How a Typo Stopped Hackers from Stealing $1 Billion from Bank