When reports surfaced in February of a spectacular bank hack that sucked $81 million from accounts at Bangladesh Bank in just hours, news headlines snickered over a typo that prevented the hackers from stealing the full $1 billion they were after.
Last week the snickering stopped with new reports that the hackers struck a second bank, and possibly others---though authorities won't say if those heists were equally successful. Bank hacks have traditionally focused on stealing the login credentials of bank account holders---either individuals or small businesses. Billions have been stolen successfully in this way. But the hacks in this case targeted the banks themselves and focused on subverting their SWIFT accounts, the international money transfer system that banks use to move billions of dollars daily between themselves.
As details continue to trickle out about how the heists unfolded, here's a look at what we do and don't know so far.
SWIFT stands for the Society for Worldwide Interbank Financial Telecommunication and is a consortium that operates a trusted and closed computer network for communication between member banks around the world. The consortium, which dates back to the 1970s, is based in Belgium and is overseen by the National Bank of Belgium and a committee composed of representatives from the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks. The SWIFT platform has some 11,000 users and processes about 25 million communications a day, most of them money transfer transactions. Financial institutions and brokerage houses that use SWIFT have codes that identify each institution as well as credentials that authenticate and verify transactions.
On February 4, unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia.
The hackers managed to get $81 million sent to Rizal Commercial Banking Corporation in the Philippines via four different transfer requests and an additional $20 million sent to Pan Asia Banking in a single request. But the Bangladesh Bank managed to halt $850 million in other transactions. The $81 million was deposited into four accounts at a Rizal branch in Manila on Feb. 4. These accounts had all been opened a year earlier in May 2015, but had been inactive with just $500 sitting in them until the stolen funds arrived in February this year, according to Reuters.
A printer "error" helped Bangladesh Bank discover the heist. The bank's SWIFT system is configured to automatically print out a record each time a money transfer request goes through. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldn't. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered.
When they finally got the software working the next day and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. Panic ensued as workers in Bangladesh scrambled to determine if any of the money transfers had gone through---their own records system showed that nothing had been debited to their account yet---and halt any orders that were still pending. They contacted SWIFT and New York Fed, but the attackers had timed their heist well; because it was the weekend in New York, no one there responded. It wasn't until Monday that bank workers in Bangladesh finally learned that four of the transactions had gone through amounting to $101 million.
Bangladesh Bank managed to get Pan Asia Banking to cancel the $20 million that it had already received and reroute that money back to Bangladesh Bank's New York Fed account. But the $81 million that went to Rizal Bank in the Philippines was gone. It had already been credited to multiple accounts---reportedly belonging to casinos in the Philippines---and all but $68,000 of it was withdrawn on February 5 and 9 before further withdrawals were halted. The manager of the Rizal Bank branch has been questioned about why she allowed the money to be withdrawn on the 9th, even after receiving a request that day from Bangladesh Bank to halt the money.
The hackers might have stolen much more if not for a typo in one of the money transfer requests that caught the eye of the Federal Reserve Bank in New York. The hackers apparently had indicated that at least one of the transfers should go to the Shalika Foundation, but they misspelled “foundation” as “fandation."
At least two, possibly more. SWIFT sent out an alert to members last week indicating that a second bank in Asia had been targeted in a similar attack and that a "small number of recent cases of fraud" had occurred at customer firms. The alert did not identify the second bank in Asia, but Tien Phong Bank in Vietnam told Reuters over the weekend that in the fourth quarter of last year it encountered and stopped a similar SWIFT hack---amounting to about $1.1 million---before any funds could be taken.
A SWIFT spokesman told the Wall Street Journal that a "few" other incidents had occurred, but didn't elaborate on whether there were successful heists at other banks or simply other attempts.
Not directly. According to SWIFT, they obtained valid credentials the banks use to conduct money transfers over SWIFT and then used those credentials to initiate money transactions as if they were legitimate bank employees. How they got the credentials is unclear. News reports have indicated that insiders might have cooperated and provided the credentials to the hackers. Other reports indicate that lax computer security practices at Bangladesh Bank were to blame: the bank reportedly didn't have firewalls installed on its networks, raising the possibility that hackers may have breached the network and found the credentials stored on the system.
They installed malware on the bank's network to prevent workers from discovering the fraudulent transactions quickly. In the case of Bangladesh Bank, the malware subverted the software used to automatically print SWIFT transactions. The hackers installed it on the bank's system some time in January, not long before they initiated the bogus money transfers on February 4.
In the case of the bank in Vietnam, the custom malware targeted a PDF reader the bank used to record SWIFT money transfers. The malware apparently manipulated the PDF reports to remove any trace of the fraudulent transactions from them, according to SWIFT and the New York Times.
Even if the hackers didn't compromise the SWIFT network itself, such that all of SWIFT banks were vulnerable, it's still bad news for the global banking process. By targeting the methods that member banks use to conduct transactions over the SWIFT network, the hackers undermine a system that until now had been viewed as stalwart.
The incidents also raise integrity issues about the trustworthiness of SWIFT reporting. The US government relies on SWIFT transaction records to alert it to suspicious money transfers that could be related to terrorism financing. The so-called Terrorist Finance Tracking Program has, according to the government, "allowed the U.S. and our allies to identify and locate operatives and their financiers, chart terrorist networks, and help keep money out of their hands." But if hackers could so easily subvert systems at SWIFT endpoints as they did in Bangladesh Bank's heist, they could conceivably do the same thing to initiate money transfers that feed terrorism groups or countries whose bank account funds are frozen by international sanctions. Rachel Ehrenfeld, author of Funding Evil: How Terrorism Is Financed and How to Stop It, says she and others warned lawmakers on Capitol Hill several years ago that hacking SWIFT or the Federal Reserve would be ideal ways for terrorist groups to bypass TFFO monitoring. "We were told cybersecurity is so good you cannot do that. But of course you can," she says. "The question is how many other incidents were there that we don’t know about? These kinds of banks don’t like advertisements of this kind [when they're hacked.]"
Aside from the hackers themselves? Bangladesh Bank blames the Federal Reserve Bank of New York for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The New York Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Reserve Bank said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others.
Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the ones it deemed suspicious.
Malware found on Bangladesh Bank's system shares similarities to some of the malware found in the Sony hack, which the US government attributed to North Korea. But according to someone familiar with the Bangladesh Bank investigation who spoke with Bloomberg, this malware wasn't used in the actual heist. There is evidence that three different hacking groups were in Bangladesh Bank's network, one of which has possible connections to the Sony hack, due to the shared use of malware. But according to forensic evidence and the movements of this group in the Bangladesh Bank's network, the group behind that malware doesn't appear to be responsible for stealing Bangladesh Bank's money. Instead, a third group appears to have performed this operation---a group that may or may not be related to the Sony hackers.
Government investigators in the Philippines are currently probing the incident in an effort to uncover who made off with the $81 million stolen from Bangladesh Bank. At least $21 million of the stolen funds reportedly ended up in the Philippine bank account of Eastern Hawaii, a company run by Chinese business man Kim Wong, who says he received it as payment for helping a Chinese client settle a casino debt. Casinos in that country are not covered by anti-money laundering laws, which means there are gaps in record-keeping around where money goes once a casino obtains it.
