BangladeshBank Money Heist

Abstract :
In February,2016 there was a hacking transaction worth of nearly $1 billion from Bangladesh Bank’s
account in New York Federal Reserve Bank. It was presumed that this transaction was made from an
official computer of central bank of Bangladesh and it ordered to send these money to Philippine & Sri
Lanka by making 35 transactions order. The transactions were made using SWIFT system to deliver the
money .The hacking attempt was interrupted after completing five successful transactions worth of $81
million. Currently the origin of the attack has been connected to the hacker group Lazarus and North
Korea.

Purpose of the study :

What we are observing in this report is :
● CyberCrime in Bangladesh Bank
● how this cybercrime would likely be impossible had there been an effective internal control
system in both the central banks and SWIFT environment.
● Action Against this Bank heist
● Identification and Implementation of IT infrastructure in the Bangladesh bank security.
● International reaction for this Biggest cyber crime.

Introduction :

Society for Worldwide Interbank Financial Telecommunications (SWIFT) has signaled warning that the
number of attacks against their network is on the rise (Kuepper, 2017). SWIFT is a member-owned
cooperative that provides safe and secure financial transactions for its members. The messaging platform
is used worldwide and it is used to exchange a daily average of almost 30 million financial transactions
(SWIFT, 2017). Needless to say, attack on a platform like this can have devastating consequences.
Cyber-crime is the threat to our internet system. Day by day, the number of cybercrime is increasing at
random. The National Security Agency(NSA) of US experiences 300 million hacking attempts per day.

While SWIFT is used to transfer funds, banks themselves are responsible for their individual cyber
security. This is where hackers are exploiting weaknesses in the system. For example a hacker group
called Lazarus with its subgroup Bluenoroff have targeted and successfully attacked smaller banks in
poorer and less developed countries whose own cyber security measures and systems are poorer (Lennon,
2017). The Bangladesh bank heist was conducted by exploiting these vulnerabilities to access the SWIFT
network.A hugely incomplete story is being fed into the public media that cybercriminals hacked the
confidential identifications, accessed into the Bangladesh Bank’s IT system and then generated valid
SWIFT messages. This would be impossible because accessing to SWIFT environment is subject to
robust controls around both physical and logical access. Physical controls must protect the premises while
the logical controls should restrict access based on business needs.
Description:
1. The timeline attack :
The first initiatives for the Bangladeshian bank attack were made in May 2015, when four bank
accounts were opened in Philippine bank for being ready to future transactions. All of the
accounts were not used until the day of attack and were clearly established for attack only. The
first problem in the audit process was made as none of these accounts or their owners was
authenticated in the process to either check the validity of their owners or transactions.
The breach to the Bangladesh Bank was made in January, 2016 by exploiting the lack of firewall
and probably with helping hand from inside (Fin, 2016). The real timeline of attack is still
missing the official statement as the final report from CID have been delayed 13 times by this
date (BDNews 24, 2017). As the official report hasn’t been finished, the dates and events
presented here embodies some level of uncertainty.The target of the attack was the SWIFT
Alliance Access software, which is used widely in the banks around the world (Fin, 2016). The
attack itself was started in February, 4 in 2016 by making 35 payment instructions worth of
$951M to Federal Reserve Bank. The first five of the transactions were completed, but the
remaining were successfully blocked partly because of the failures made by the attackers. The
targets of the payments were in the Philippines and Sri Lanka worth of about $100M. The
attackers were able to withdraw $81M in total during the period of February 5 to 9 as fictitious
people. The unauthorized messages were notified in the Bangladesh bank during the February 8
(Bloomberg, 2016).
2. Detection :
Deutsche Bank had flagged the transaction as suspect. Nevertheless, as the transaction had been
approved by the Fed, it was forwarded to Sri Lanka. There, the transaction was caught by a
banking official in the receiving bank as the transfer was unusually large for Sri Lanka. Before
clearing the transfer, the Sri Lankan official had contacted Deutsche Bank, which responded that
the transfer is indeed suspect. As the recipient turned out to be a fake entity, the bank was able to
freeze the funds and ultimately return them to the originating bank. Out of the reported total sum
$870m of all transactions, the attackers managed to transfer only $81m. Independently, Fed
alerted the central bank of Bangladesh after detecting that the number of transfers to non-banking
entities had surged. Without the spelling mistake and the diligent work of banking officials, the
attackers could have got away with a way more substantial sum of money after successfully
inserting the forged transactions to the SWIFT network.

3. Identify of the Hacker :

Even though the attacker did try to remove any evidence from the bank’s systems, Kaspersky
(2017a) managed to access some of the data through backups of the systems. The recovered files
indicate, that the techniques and tools used in the attack can be linked to a group known as
Lazarus. Kaspersky (2017a) summarises the activities of the Lazarus group as follows: “It’s
malware has been found in many serious cyberattacks, such as the massive data leak and file
wiper attack on Sony Pictures Entertainment in 2014; the cyberespionage campaign in South
Korea, dubbed Operation Troy, in 2013; and Operation DarkSeoul, which attacked South Korean
media and financial companies in 2013.”
3.Discussion :
In addition to the monetary loss of $81m, the incident severely harmed the trust in the IT systems of the
global banking sector. It is clear, that the global monetary network is only as secure as the weakest bank
in the alliance. The SWIFT’s model seems to have failed to provide a layered security approach, which
allowed the attackers to exploit the system without compromising the core servers of the SWIFT network.
The architecture of the infrastructure has also been questioned by Deutsche Bank (Schuetze, 2016), and
hopefully the system will become more resilient to cyber threats.
In the fallout of the incident, the governor of the Bangladesh central bank took personally the hit from the
heist and resigned from his post (The Guardian, 2016a). Additionally, the central bank of Philippine set a
fine of 1-billion pesos ($21.3M) to the Rizal Commercial Banking Corporation. The bank was used to
transfer the money from the heist to casinos in order to launder the money. Apparently, the bank had
failed to follow regulation against fraud and theft. It should now be clear, that the leaders of the banking
world globally need to improve the state of cybersecurity by both developing more secure systems as well
as train their personnel .Whoever or whatever organization was eventually behind the bank heist, the most
important thing is to focus on revisioning and enhancing the cybersecurity of financial messaging
networks and the cybersecurity strategies of individual banks.

4.Line Drawling :
Negative Paradigm:
(a) Bangladesh bank has lost $ 81 million money. What else can be more negative point than this?
(b)This accident hampers the aspect of Bangladesh bank to the other countries.
(c) After this accident, the legendary person in the field of the economy of Bangladesh, Dr Atiur
Rahman, was compelled to resign because of this.

Positive Paradigm:
(a) The Bangladesh government enhances the security system after this accident.
(b) The investigation is still running to identify the inside helper of the hacking which will help to reduce
the corruption.
Overall, this incident teaches a good lesson to Bangladesh bank as well as other bank who have a
vulnerable security system.

5. International Reaction :

.The New York Fed claimed that the payment order it approved had been duly authenticated by SWIFT.
An unresolved question is how the SWIFT validated the 35 payment orders and what further check New
York Fed carried out as a part of its own internal control system. Carolyn B Maloney, Ranking Member
in the U.S. House of Representatives, raised several questions about this claim. Those are reproduced
below.
❖ Firstly, is it appropriate to rely solely on authentication from SWIFT for payments from the
accounts of foreign central banks?
❖ Secondly, why the New York Fed block the last 30 transfer orders, but not the first 5 orders?
What was it about the last 30 orders that raised the New York Fed’s suspicions?
❖ Thirdly, the New York Fed requested from Bangladesh Bank for reconfirmation of all 35
payment orders, but executed payments for the first 5 orders without receiving any
reconfirmation. What is the New York Fed’s policy regarding reconfirmation and was it observed
in this case?
❖ Finally, why did New York Fed not question the apparent misspelling in the $20 million transfer
order to the Sri Lankan account, as a correspondent bank did?
6. Recommendation :
An international inquiry is needed to fully understand the total ring which is behind this unprecedented
cybercrime. While the Philippines Senate was leading the inquiry, the Government of Bangladesh and its
central bank authority maintained an opacity from the very beginning.
(a) Duty & Right Ethics:
The duty & right ethics are divided into two sector for this case study. They are: 1.What Philippine Bank
should do: The way they opened the four account without proper authentication is illegal. Besides, when
this huge amount of $81 million was transferred into their bank, they should check & double check those
accounts again just like Sri Lanka did. The notable point is that those accounts of Philippine were never
used before this huge transaction. Hence, they did not take any step for stopping the transactions. We all
know, the best way for money lounging is to put money in Casino because it is the easiest way to turn
black money into white money. The Philippine Bank helped the hacker by sending those whole moneys to
some casino according to the hacker’s order. They didn’t have any professional ethics in them. How could
they do it? They were entirely corrupted. They should stop the transactions & return it to the main
account.
(b) What Bangladesh bank should do:
The were reckless to the problem of firewall. We all know the proverb “Little should not be neglected”.
Their lack of professional duty causes $81 million robbery. Besides, according to FBI report, there was
inside helper that indicates that some corrupted person was also there to help the hackers. They should be
honest to their duty.

Conclusion :

The professional person should have professional ethics in them. In this case study, we have seen that
there was a lack of professional ethics in the authority of Bangladesh Bank & Philippine Bank. If they
were honest and sincere to their duty, an event such as this would never be happened. It is a remarkable
incident in the history of Bangladesh and we should keep alert of all types of securities alert and
technological issues.