The billion-dollar hit job

The way unknown hackers hatched plans to steal money from the Bangladesh Bank’s reserves with the New York Fed using the most sophisticated banking and payment channels as well their near-perfect preparation and timing will render many detective stories and Hollywood movies average.

This largely explained why the largest cyber hacking in history has still remained unresolved four years after it shook the financial world.

In February 2016, hackers breached the BB’s systems and used the SWIFT messaging network to order the transfer of $951 million from the central bank’s account at the New York Fed.

Of the amount, $81 million ended up in the bank accounts in the Philippines, which were quickly withdrawn and sucked in by the huge casino industry in the Southeast Asian country.

The hacking was so well-planned that it took the BB until the middle of March to retrieve the related SWIFT messages, according to the report of the government-sponsored probe committee.

A three-member committee led by former BB Governor Mohammed Farashuddin began working on March 20, 2016. The probe report was submitted in May 2017, but the government is yet to make the report public.

The 27-page report shed light on the people and the organisations whose actions might have paved the way for the hacking as well as the organisations that had the power to stop it but failed to do so. It made 70 recommendations to prevent repetition of such heists.

The root to hack the BB network and its reserves could be traced at least six months before the heist took place.

In August 2015, the computers of the BB were connected with the SWIFT network through the Real-Time Gross Settlement (RTGS), which is used to process local transactions and without taking any expert opinion.

The establishment of the link on August 13 paved the way for the hackers to deploy malware in the SWIFT messaging system as it created scope for any computer of the local area network (LAN) to send SWIFT messages to the New York Fed, according to the probe report.

The report raised questions about the visit of a SWIFT official, who worked almost privately on the SWIFT system at the BB. Then the SWIFT officials also did not inform the BB officials how the link between the SWIFT and the BB-RTGS works.

The SWIFT official used the user ID and password of two BB officials to work in the system. So, it was not difficult to know about the finger stroke, password and other important codes.

The user ID and password of the two BB officials were compromised after January 24, 2016, the report said.

A malware was deployed into the SWIFT system on January 19 or 20, 2016 that copied the user ID and password; the credentials were later used in hacking and transferring the funds.

The malware identified is advanced and custom-designed to operate on servers processing SWIFT transactions.

It has the capability to bypass certain software security measures especially related to the BB’s SWIFT environment and was rigged to securely erase all traces of activity and self-destruct on February 6, 2016 after accomplishing its goal, said the probe report quoting a primary report of world-renowned cyber security firm FireEye Mandiant.

The criminals chose the day for the hacking wisely: February 5 and 6 were weekends in Bangladesh, February 6 and 7 were weekends in the US and February 6 and 8 were bank holidays for the Chinese New Year in the Philippines.

Hackers, using the user name and password of a BB official of the accounts and budgeting department, generated 35 SWIFT messages between 8.36pm on February 2016 and 3.59am the following morning and instructed the NY Fed to release around $951.01 million to four beneficiaries through intermediary banks.

While the NY Fed’s security system flagged the payment orders, five of them fell through, and $101 million against them was released. Of the amount, $81 million was wired to the Philippines (RCBC branch in Manila) and $20 million to Sri Lanka’s Shalika Fundation.

Ultimately, the Sri Lankan bank that received that payment order — the Pan Asia Banking Corporation –flagged it because it misspelled the word “Foundation” as “Fundation”. The size of the transaction was unusual, too.

Mandiant’s probe showed that the traces to collect information, particularly the SWIFT messages, generated on February 4 were erased. SWIFT could not retrieve them.

Hackers usurped the Fedwire system — which is developed and maintained by the Federal Reserve System and used to transfer large-dollar payments among Federal Reserve offices, depository institutions and federal government agencies — to steal funds from the BB’s account at the New York Fed by transferring them to correspondent accounts held by RCBC, according to a court document of a case filed by the BB with a New York court.

The conspirators took advantage of certain features of the Fedwire system and timing to accomplish their theft. Fedwire system transfers are same-day and, in many cases, instantaneous. Transferred funds are often available and final when sent.

Armed with this knowledge, the conspirators sent the unauthorised payment orders after business hours at the start of the weekend in Bangladesh — which is Friday and Saturday in Bangladesh — in an attempt to action the transfers before the New York Fed or Bangladesh Bank could discover the theft, the case document said.

BB high-ups came to know about the stealing two days later. Still, the central bank decided to keep it secret.

Then Governor Atiur Rahman told the probe committee that he talked to Amando M Teranga Junior, then central bank governor of the Philippines, on February 11.

The Filipino governor said if utmost secrecy about the stealing can’t be ensured the wrong-doers might escape and assured Rahman that the whole amount might be retrieved quickly if secrecy can be maintained, Rahman told the probe committee.

This led the then governor to decide not to report the incident to any intelligence agency until March 1.

But after the Inquirer of Manila broke the news on February 29, the whole world came to know about the incident.

WHO IS TO BLAME?

The central bank of Bangladesh, the SWIFT network and the New York Fed can’t evade their responsibility in the reserve heist, said a probe report.

Rizal Bank of the Philippines did not act fittingly.

RCBC staged a scandalous drama by implementing the fund transfer messages on February 9 despite receiving “stop payment” requests from Dhaka.

Maia Santos-Deguito, manager of Jupiter branch that released the funds, said she had carried out the fund transfer orders “out of fear”. RCBC CEO Lorenzo Tan resigned.

“It is a huge surprise that four accounts were opened with RCBC just by depositing $500 six months before the heist and multi-million dollars were deposited in the accounts despite getting “stop payment requests”, the report said.

RCBC was the perfect choice for the hackers, according to a court document of a case filed with the New York court by the BB.

The Filipino bank had correspondent bank accounts with commercial banks in New York City that would serve as intermediary accounts to receive, directly from the New York Fed, the Bangladesh Bank’s stolen funds and then transfer them out of the US to fictitious accounts.

Five fictitious US dollar accounts were opened on May 15, 2015, almost nine months before the theft. Each was opened as an account to hold US dollars, signalling that conspirators understood, intended and plotted to reach into the US — specifically into New York and the BB’s account at the New York Fed — to steal funds.

The accounts sat unused — with no transactions — until February 5, 2016 when it received the stolen funds. Virtually the entirety of that amount by the four account was withdrawn by February 9, 2016.

A fifth fictitious US dollar account was opened in the name of Ralph Campo Picache also with a deposit of $500.

It sat unused, and remained unused throughout the conspiracy, although not for lack of trying.

Approximately $170 million in fraudulent payment instructions were destined for the fictitious Picache Account but, unlike the other four fictitious accounts, none of the payment instructions to this account were executed by the New York Fed.

“RCBC has since admitted that all of these accounts were fake, and established for fictitious persons, which begs the question of who could legitimately operate these accounts when there was no real owner,” the court documents said.

“The answer is that the only entity that could transfer funds in and out of these accounts — which had no other owner — was RCBC itself, by and through its personnel, which involved multiple individuals up to the highest levels of RCBC,” the document added.

Later that year, on December 8, 2015, about two months before the theft, RCBC opened accounts for each of the five fictitious beneficiaries.

These accounts were held in the Philippine peso, not the US dollar like the earlier fictitious accounts.

RCBC opened the five new accounts of the fictitious beneficiaries with no initial deposit, unlike the fictitious US dollar accounts, and the accounts never held any funds and were never involved in any transactions.

They were preparatory, opened only to be used in the event that the thieves needed additional peso accounts to distribute and launder the stolen funds. As it turned out, the accounts were not needed, the court document showed.

NORTH KOREAN HACKERS

The wide-ranging conspiracy to rob hundreds of millions of dollars from the BB began years earlier with, on information and belief, North Korean hackers.

According to the FBI, among others, before the North Korean hackers executed their fraudulent transfer of funds from the BB’s New York Fed account, they first used the same or similar tools and techniques to accomplish the well-publicised attack on Sony.

Indeed, computer forensics firms including BAE Systems have reviewed the “attack toolkit” of malware used against the BB (and then against other banks) and those firms have concluded that the malware was custom-configured to “register itself as a service and operate in an environment running SWIFT’s Alliance Access software suite, [and] allow transactions to be deleted and records changed”.

Starting in 2014, the hackers used the same tools and techniques that they would later use on the BB, and try to use on other banks, to infiltrate the computer systems of Sony, a multi-national, global, and sophisticated company, and steal huge amounts of data, financial information and records, credentials and user information. And they covered their tracks on the way out.

By January 2015, as explained by the FBI, the North Korean hackers had specifically identified BB, among other banks, as one of the targets of their attack and theft.

The criminal enterprise had come together, and the co-conspirators began to open more fictitious bank accounts held in US dollars at RCBC in the Philippines, the court document showed.

The North Korean hackers also began their spear-phishing email campaign, sending fraudulent emails to the bank’s employees misrepresenting that the fake senders were seeking employment.

The link to the “resumé and cover letter” hosted the malware that enabled the initial access to the BB’s computers.

The North Korean hackers also sent fraudulent spear-phishing emails to the BB’s employees appearing to be “LinkedIn” invitations. This is how the North Korean hackers first fraudulently gained access to those users’ computers.

From there, by March 2015, the North Korean hackers had installed other forms of malware specifically designed to create a backdoor into the BB network, allowing the North Korean hackers to access the network, collect information, crawl across different computer systems, and then fraudulently communicate within the network over a custom binary protocol designed to appear merely as Transport Layer Security traffic.

In other words, the North Korean hackers covered their tracks by using a communication protocol that misrepresents itself as authentic encrypted communications and allowed North Korean hackers to communicate the stolen data and information without tripping security alerts.

These techniques, known to the international cybersecurity and law enforcement community, were traceable only after the attack was uncovered.

Finally, on January 29, 2016, only six days before the theft, the hackers began to covertly move across the BB network, from the computers in which they had originally installed the malware, to the SWIFTLIVE system critical to the processing of SWIFT messages like those used to execute the heist.

The Farashuddin report criticised SWIFT for its odd-looking attempt to get a copy of the Mandiant report, which proved that it was liable for the heist directly or indirectly.

About the Fed’s role, the probe said when the New York Fed received the fund transfer requests, it became suspicious.

It had kept the fund transfer on hold and sought more information and interpretation about beneficiaries. But by the time, it sought the additional information, it was already 3:59am Friday in Dhaka.

The weekend had already started. Before receiving any responses from the BB, it executed five payment instructions. After transferring the funds, it sent queries to the central bank as it was suspicious about the beneficiaries.

So, the New York Fed could not evade its responsibility of stealing of the funds from the BB’s reserves, the probe report said.

The liability of the Fed was created after it transferred the funds despite having suspicions about the payment instructions and the beneficiaries.

The primary responsibility for the $81 million reserve heist lies with SWIFT authorities, the report said.

BB steps aimed at forestalling unauthorised payments were not adequate, the probe report said.

The central bank officials did not try to employ the manual system to retrieve the messages from the New York Fed when they return to work on Friday morning. Besides, they did not immediately apprise the higher authorities about the incident.

“We have not got any conclusive evidence to say conclusively whether any BB officials were knowingly involved with the heist. But we have serious suspicion about collusion of at least two officials,” the probe report said.

The lackadaisical work style of the BB officials paved the way for the criminals to hatch the plan.

RECOMMENDATIONS

“It was not right to connect the computers of the BB with the SWIFT network through the RTGS,” the probe report said.

The process to send SWIFT messages was made insecure in August-October 2015, when the SWIFT system and the BB-RTGS was connected.

It will be logical to de-link the BB-RTGS from the SWIFT and kept the SWIFT system alive in a standalone system.

Special training should be arranged for the people responsible to send payment instructions and there should be the highest level of security clearance in place.

The probe report recommended taking comprehensive measure through political leadership and diplomatic strategy and using legal experts.

It called for preparing and maintaining policy documents listing high-level requirement about network architecture and security.

Proper network segmentation needs to be placed at all levels and user workstations should never reach a server without passing through a firewall.

Operating systems of all machines should be up-to-date with latest security and other fixes and anti-virus software should be installed and regularly updated in all machines.

Remote desktop feature should be disabled in critical servers and workstation users should be cautioned not to browse irrelevant websites.

Access credentials of all the network equipment should be changed periodically, the report recommended.

SWIFT should introduce an SOS message type to immediately warn all concerned parties about possible system breach. Proper IT training needs to be arranged for users at all levels.

Periodic auditing of different aspects of IT infrastructure, security and system usage needs to be performed.

Skilled and educated workforce need to be employed to manage the network and system operations, the report said.

DELAY IN PUBLISHING REPORT

As the report was not sent to the central bank from the government, it could not implement the recommendations, said Abu Hena Mohd Razee Hassan, a former deputy governor of the BB and now head of the Bangladesh Financial Intelligence Unit.

He was one of the deputy governors at the time of hacking.

In an interview with The Daily Star recently, AMA Muhith, who was the finance minister when the heist took place, said: “We didn’t publish the Farashuddin committee report as the Fed had something to do with it — they didn’t want the publication of the report.”

“I don’t think it would have caused any harm if the report was published. Maybe at first there would have been problems but not now. I don’t think if it is published now it will cause any problem. It has been so long.”

The government can’t disclose the Farashuddin-led committee’s investigation report on the BB reserve heist so that probe by the Criminal Investigation Department is not influenced, Finance Minister AHM Mustafa Kamal told the parliament in February last year.

The probe body thanked the BB for bringing forward the hiring of world-renowned cyber security firm FireEye Mandiant to probe the incident.