Case Study: Bangladesh Bank Heist

ELEC-E7470 - Cybersecurity

Hämäläinen, Matias 220657

Mäntylä, Vihtori 69903C
Putkonen, Pauli 345655

1. Abstract
The Bangladeshian bank heist was a series of unauthorized transactions made on an official
computer of the central bank of Bangladesh. The transactions were made using SWIFT
system to deliver the money in different accounts in Sri Lanka and Philippines. The amount
of money under the theft was nearly $1 Billion, but most of the payment orders were blocked
and there have been some successful attempts to recover some assets. Currently the origin
of the attack has been connected to the hacker group Lazarus and North Korea.

2. Introduction
As cyberspace has become an embedded element of contemporary society, also banks
have become vulnerable against cyber attacks. Financial transactions all over the world are
conducted digitally via computer networks and banks are struggling with security issues in
the never-ending race against malicious hacker groups. Banks have traditionally been
perceived as trustworthy actors when it comes to cyber security, but history knows multiple
cases of successful cyber attacks against banks. These successful and devastating attacks
have also lead to growing fear of cyber attacks amongst banks (Schuetze, 2016; Kuepper,
2017).

Society for Worldwide Interbank Financial Telecommunications (SWIFT) has signaled

warning that the number of attacks against their network is on the rise (Kuepper, 2017).
SWIFT is a member-owned cooperative that provides safe and secure financial transactions
for its members. The messaging platform is used worldwide and it is used to exchange a
daily average of almost 30 million financial transactions (SWIFT, 2017). Needless to say,
attack on a platform like this can have devastating consequences.

While SWIFT is used to transfer funds, banks themselves are responsible for their individual
cyber security. This is where hackers are exploiting weaknesses in the system. For example
a hacker group called Lazarus with its subgroup Bluenoroff have targeted and successfully
attacked smaller banks in poorer and less developed countries whose own cyber security
measures and systems are poorer (Lennon, 2017). The Bangladesh bank heist was
conducted by exploiting these vulnerabilities to access the SWIFT network, eventually
becoming one of the largest and most successful cyber heists ever (Lennon, 2017). In this
case study we go through the events related to the attack and the aftermath that has
followed it.
 3. Case Presentation

Timeline of the attack

The first initiatives for the Bangladeshian bank attack were made in May 2015, when four
bank accounts were opened in Philippine bank for being ready to future transactions. All of
the accounts were not used until the day of attack and were clearly established for attack
only. The first problem in the audit process was made as none of these accounts or their
owners was authenticated in the process to either check the validity of their owners or
transactions. During the opening of a bank account this kind of procedure is not unusual, but
the bursts occurred in February 2016, should have triggered actions in safe audit
procedures. (Fin, 2016)

The breach to the Bangladesh Bank was made in January, 2016 by exploiting the lack of
firewall and probably with helping hand from inside (Fin, 2016). The real timeline of attack is
still missing the official statement as the final report from CID have been delayed 13 times by
this date (BDNews 24, 2017). As the official report hasn’t been finished, the dates and
events presented here embodies some level of uncertainty. The access to bank’s servers
made possible the breach to SWIFT network and inject malware to it as it was not separated
from other parts. It is very likely that the attackers also installed a keylogger to get the
passwords for authorizing the transactions. (Fin, 2016)

The target of the attack was the SWIFT Alliance Access software, which is used widely in
the banks around the world (Fin, 2016). The attack itself was started in February, 4 in 2016
by making 35 payment instructions worth of $951M to Federal Reserve Bank. The first five of
the transactions were completed, but the remaining were successfully blocked partly
because of the failures made by the attackers. The targets of the payments were in the
Philippines and Sri Lanka worth of about $100M. The attackers were able to withdraw $81M
in total during the period of February 5 to 9 as fictitious people. The unauthorized messages
were notified in the Bangladesh bank during the February 8 (Bloomberg, 2016).

Detection
Guardian (2016b) reported that a bank heist worth almost 1 billion US dollars had been
averted, thanks to a spelling mistake in the payment transaction, which prevented the
automatic system from completing the transaction. As a result, Deutsche Bank had flagged
the transaction as suspect. Nevertheless, as the transaction had been approved by the Fed,
it was forwarded to Sri Lanka. There, the transaction was caught by a banking official in the
receiving bank as the transfer was unusually large for Sri Lanka. Before clearing the transfer,
the Sri Lankan official had contacted Deutsche Bank, which responded that the transfer is
indeed suspect. As the recipient turned out to be a fake entity, the bank was able to freeze
the funds and ultimately return them to the originating bank. Out of the reported total sum
$870m of all transactions, the attackers managed to transfer only $81m. Independently, Fed
alerted the central bank of Bangladesh after detecting that the number of transfers to
non-banking entities had surged. Without the spelling mistake and the diligent work of
banking officials, the attackers could have got away with a way more substantial sum of
money after successfully inserting the forged transactions to the SWIFT network.

Identity of the attacker

Even though the attacker did try to remove any evidence from the bank’s systems,
Kaspersky (2017a) managed to access some of the data through backups of the systems.
The recovered files indicate, that the techniques and tools used in the attack can be linked to
a group known as Lazarus. Kaspersky (2017a) summarises the activities of the Lazarus
group as follows: “It’s malware has been found in many serious cyberattacks, such as the
massive data leak and file wiper attack on Sony Pictures Entertainment in 2014; the
cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013; and Operation
DarkSeoul, which attacked South Korean media and financial companies in 2013.”.

In their report Kaspersky (2017a) thoroughly analyzes the malware used in the attack. The
analysis of disassembled bytecode shows, that some of the malware is identical to the
malware used in the some of the incidents mentioned above. Even though parts of the code
have been modified, probably in order change the signature of the malware and avoid
detection by automated traffic analyzing tools, the malware samples from different incidents
share some obscure techniques, which suggests that payload used in both attacks could
come from the same author or group. One of the obscure techniques found by Kaspersky
(2017a) is the complete rewrite of file contents and renaming the file before deletion.
Rewriting the file content, possibly multiple times, is commonly used to try to remove the
data from the physical device and hinder forensic data recovery attempts. However,
Kaspersky (2017a) claims that most often attackers don’t include renaming to their file
destruction procedures.

A little is known about the members of the group. However, when combing through logs of a
more recent incident linked to the Lazarus group, Kaspersky (2017b) found a link to the
North Korea. While criminals usually mask their real location and IP addresses by using VPN
services and proxies, the server logs of a seized Command & Control server indicated, that
the server had been accessed once from a North Korean IP address. While IP address is not
really a solid evidence for North Korea’s involvement in the group’s activities, it is
nevertheless compelling to consider, that the connection could indeed originate from the
operator’s real IP address. It is entirely possible, that either human error or misconfiguration
has lead some of the operator’s network traffic to be routed directly to the host instead of
being routed through a network of proxies and VPNs. This reasoning is also supported by
Novetta’s (2016) report, which suggests that the group has been targeting especially South
Korean and USA based entities i.e. enemies of the North Korea. However, due to the nature
of cyberspace, it is extremely difficult to identify the true origin of any connection. Also,
attackers could simply want to throw researchers of the real tracks by leaving behind
purportedly solid evidence.
 4. Discussion
In addition to the monetary loss of $81m, the incident severely harmed the trust in the IT
systems of the global banking sector. It is clear, that the global monetary network is only as
secure as the weakest bank in the alliance. The SWIFT’s model seems to have failed to
provide a layered security approach, which allowed the attackers to exploit the system
without compromising the core servers of the SWIFT network. The architecture of the
infrastructure has also been questioned by Deutsche Bank (Schuetze, 2016), and hopefully
the system will become more resilient to cyber threats. SWIFT has taken action and warned
the member banks about the growing threat against the financial network, but the potential
scale of damage presented in the Bangladesh Central Bank case calls for more concrete
measures of system-level revision of the financial network. The current state where the
global financial network might get compromised due to negligence of cyber security in banks
in developing countries casts a great shadow of unreliability over the global financial sector.
The Bangladesh bank heist promoted a motion of no confidence on the global financial
systems.

The weekend protocols also should be considered as a vulnerability in banking sector. The
success of the heist was mostly relying on timing during weekend: the lack of sufficient
monitoring and means of communication during weekend made it possible that the
unauthorized transactions were noticed not until four days after the attack. In other words the
success of this cyber attack was relying on not only cyber domain but the physical also. This
points out the nature of cyber security which states that it cannot be assessed in a vacuum.
Also the suggested insider theory about the origin of the attack supports this view as the
involvement of a physical human in the attack was needed.

In the fallout of the incident, the governor of the Bangladesh central bank took personally the
hit from the heist and resigned from his post (The Guardian, 2016a). Additionally, the central
bank of Philippine set a fine of 1-billion pesos ($21.3M) to the Rizal Commercial Banking
Corporation. The bank was used to transfer the money from the heist to casinos in order to
launder the money. Apparently, the bank had failed to follow regulation against fraud and
theft. It should now be clear, that the leaders of the banking world globally need to improve
the state of cybersecurity by both developing more secure systems as well as train their
personnel to detect anomalies. As the fraud was only detected after human intervention, it
should be clear that the current state of automated fraud detection and prevention
mechanisms is not yet at adequate level, which may not ever be the case. Afterall, a
computer program following its programming is much more easily fooled than an an actual
well trained thinking human being.

North Korea’s possible involvement brings the heist to another level - political one. When
governments get involved in a malicious cyber attack the reactions, especially in media,
become fierce. This could have major political consequences if it is considered as cyber
warfare. For example as a result of Russia’s alleged interference in US presidential election
in 2016 tens of Russian diplomats were expelled. In the case of Bangladesh bank heist it
should be noted that due to their difficult history, US might have in their political interests to
point North Korea as a scapegoat in the incident. Thus the accusations of North Korea’s
involvement shouldn’t be embraced without caution. Kaspersky however as a Russian
company has also pointed North Korea’s possible involvement in the bank heists conducted
by Lazarus. Whoever or whatever organization was eventually behind the bank heist, the
most important thing is to focus on revisioning and enhancing the cybersecurity of financial
messaging networks and the cybersecurity strategies of individual banks.
5. References
Aquino, N. ja Yap, C. (2016). Philippines Slaps $21.3 Million Fine on Rizal Bank for
Heist. [online] Available at:
https://www.bloomberg.com/news/articles/2016-08-05/philippines-slaps-21-3-million-
penalty-on-rizal-bank-for-heist​ [Accessed 21.4.2017].
Bloomberg. (2016). How $81 Million Slipped Through Philippine Cracks: Timeline,
Available At:
https://www.bloomberg.com/news/articles/2016-03-20/how-81-million-slipped-through
-philippine-cracks-timeline​ [Accessed 21.4.2017]

BDNews24. (2017), CID delays Bangladesh Bank heist report for 13th time,
http://bdnews24.com/bangladesh/2017/04/18/cid-delays-bangladesh-bank-heist-repo
rt-for-13th-time​, [Accessed 21.4.2017]

Fin. (2016), Anatomy of a bank heist - What exactly happened when $81 million
disappeared from a Bangladeshi bank, and what does it mean for SWIFT?, Available
at: ​https://fin.plaid.com/articles/anatomy-of-a-bank-heist​ [Accessed 24.4.2017]

Kaspersky. (2017 a). Lazarus Under the Hood. Report. [online] Available at:
https://securelist.com/files/2017/04/Lazarus_Under_The_Hood_PDF_final.pdf​,
[Accessed 21.4.2017]

Kaspersky. (2017 b). Lazarus Under the Hood. Blog. [online] Available at:
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/​. [Accessed 21.4.2017]

Kuepper, J. (2017). Cyber Attacks and Bank Failures: Risks You Should Know.
Investopedia. [online] Available at:
http://www.investopedia.com/articles/personal-finance/012117/cyber-attacks-and-ban
k-failures-risks-you-should-know.asp​. [Accessed 21.4.2017]

Lennon, M. (2017). Kaspersky Links Global Cyber Attacks to North Korea, Security
Week. [online] Available at:
http://www.securityweek.com/kaspersky-links-global-cyber-attacks-north-korea​.
[Accessed 21.4.2017].

Novetta. (2016). Operation Blockbuster Report. Available at:

https://www.scribd.com/doc/300300228/Operation-Blockbuster-Report​. [Accessed
21.4.2017]

Schram, J. (2016). ”Congresswoman wants probe of ‘brazen’ $81M theft from New
York Fed”. New York Post. [online] Available at:
http://nypost.com/2016/03/22/congresswoman-wants-probe-of-brazen-81m-theft-from
-new-york-fed/​. [Accessed 21.4.2017].
Schuetze, A. (2016). Deutsche Bank calls for reform of global financial messaging
system SWIFT. Reuters. [online] Available at:
http://www.reuters.com/article/us-deutsche-bank-swift-idUSKCN11D1WA​. [Accessed
21.4.2017]

Shevchenko, S. ja Nish, A. (2016). ”Cyber Heist Attribution”.

BAE Systems Threat Research Blog. [online] Available at:
http://baesystemsai.blogspot.fi/2016/05/cyber-heist-attribution.html​ [Accessed 21.4.
2017].

Shevchenko, S. (2016). ”Two bytes to $951m”. BAE Systems Threat Research Blog.
[online] Available at:
https://baesystemsai.blogspot.fi/2016/04/two-bytes-to-951m.html​ [Accessed
21.4.2017].
(Bae b, 2016)

SWIFT. 2017. SWIFT FIN Traffic & Figures. [online] Available at:
https://www.swift.com/about-us/swift-fin-traffic-figures. [Accessed 21.4.2017].

The Guardian. (2016 a). ”Bangladesh central bank governor resigns over $81m cyber
heist”. [online] Available at:
https://www.theguardian.com/world/2016/mar/15/bangladesh-central-bank-governor-r
esigns-over-81m-dollar-cyber-heist​ [Accessed 21.4.2017].

The Guardian. (2016 b). ”Spelling mistake prevented hackers taking $1bn in bank
heist”. [online] Available at:
https://www.theguardian.com/business/2016/mar/10/spelling-mistake-prevented-bank
-heist​. [Accessed 21.4.2017].