SWIFT and the Bangladeshi Bank Heist

I’ve been following the story of how what are described to be criminal hackers tried to steal $1 billion from Bangladesh’s national bank, in part because of the tie to SWIFT, the financial transfer company (as of now, $81 million are still missing, but Sri Lanka and the Fed managed to reverse or prevent the remainder of the theft attempt). As part of the hack, the thieves stole Bangladesh’s SWIFT credentials (it appears they did this after Bangladesh connected the server running SWIFT transactions to 3 other servers).

“Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” the interim report said. Those servers are operated by the bank but run the SWIFT interface, and the report makes it clear the breach stretches into other parts of the bank’s network as well. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”

SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally. It can’t comment on the investigation, according to Charlie Booth from Brunswick Group, a corporate advisory firm that represents SWIFT.

“We reiterate that the SWIFT network itself was not breached,” Booth said in an e-mail. “There is a full investigation underway, on what appears to be a specific and targeted attack on the victim’s local systems.” SWIFT said last week its “core messaging services were not impacted by the issue and continued to work as normal.”

Dedicated servers running the SWIFT system are located in the back office of the Accounts and Budgeting Department of Bangladesh Bank. They are connected with three terminals for payment communications.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

In separate news, a local security researcher who had been working on the hack disappeared last week.

In a weird turn of events, one of the security researchers who voiced their criticism at the central bank’s security measures disappeared on Wednesday night.

Family members are saying that Zoha met with a friend at 11:30 PM on Wednesday night, March 16. While coming home, a jeep pulled in front of their auto-rickshaw, and men separated the two, putting them in two different cars.

Zoha’s friend was dumped somewhere in the city (Dhaka) and was able to get home by 02:00 AM, the next day. He then contacted Zoha’s family, who said the security researcher never came home.

The next day, family members tried to report the researcher missing, but police officers just kept redirecting them from one police station to another until the family gave up and contacted the media for help.

[snip]

According to BDNews24, Zoha was a former collaborator of Bangladesh’s ICT (Information and Communication Technology) Division and worked with various government agencies in the past. It appears that his comments about the Bangladesh central bank cyber-heist were made working as a “shadow investigator” for a security company that family members declined to name.

Answering questions about his own investigation into the central bank’s cyber-heist, Zoha said that the “database administrator of the [Bangladesh Bank] server cannot avoid responsibility for such hacking” and that he “noticed apathy about the [server’s] security system.”

From this description and those based on the FireEye report, it seems like Bangladeshi authorities, and not SWIFT, would be the powerful people who might want to make this guy disappear. But I find it interesting that someone who was presumably mirroring FireEye’s work has apparently been kidnapped.

Remember: NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

While we don’t have enough detail to assess, it does sound like the NSA got in through vulnerabilities at the member bank level, like these thieves did.

Again, I assume the kidnapping is best explained by Bangladeshi efforts to cover up their own incompetence. But I do find the possibility that SWIFT might be vulnerable due to vulnerabilities at its member banks, too.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

7 replies
  1. orionATL says:

    can we not make a “law” right on the spot re integrated circuit devices used for communication, a law in the spirit of moore’s law:

    law: whereever there is or can be surreptitious government electronic surveillance of ic devices, there will eventually be criminal exploitation of identical or allied surveillance avenues.

    corollary: government surreptitious surveillance organizations, e. g., the u. s. nsa, must have access to target equipment and its data and therefore will always work politically and legally to see that their avenues for surveillance are open regardless of the consequences to organizations or individuals of related criminal surveillance and theft or extortion.

  2. orionATL says:

    speaking of which:

    http://www.theguardian.com/technology/2016/mar/21/flaw-imessage-encryption-ios-9-3

    quotes richard clarke, again

    “… does underscore remarks made by former US counter-terror chief Richard Clarke: that all software has vulnerabilities, and if the FBI simply wanted to break into the iPhone, rather than set legal precedent, then the agency would have other ways in.

    “If I were in the job now, I would have simply told the FBI to call Fort Meade, the headquarters of the National Security Agency, and NSA would have solved this problem for him,” Clarke told NPR. “They’re not as interested in solving this problem as they are in getting a legal precedent.”… “

  3. orionATL says:

    kidnapping to cover up an inside job?

    “… Zoha was a former collaborator of Bangladesh’s ICT (Information and Communication Technology) Division and worked with various government agencies in the past. It appears that his comments about the Bangladesh central bank cyber-heist were made working as a “shadow investigator” for a security company that family members declined to name.

    Answering questions about his own investigation into the central bank’s cyber-heist, Zoha said that the “database administrator of the [Bangladesh Bank] server cannot avoid responsibility for such hacking” and that he “noticed apathy about the [server’s] security system.”… “

  4. SpaceLifeForm says:

    While we don’t have enough detail to assess, it does sound like the NSA got in through vulnerabilities at the member bank level, like these thieves did.

    How do we know these are two separate groups?

  5. TH says:

    You all have to consider the FBI is probably collecting information slower than it’s being destroyed and it’s highly unlikely the researcher is still alive.

    People with enough loot to buy an island and launch corporations don’t need a hostage and leverage or a loose end.. It’s also likely it’s organized crime with government assistance which means all the above is probably being done pretty efficiently compared to criminals working around things.

    As I’ve pointed out elsewhere this is fairly easy to do in any similar country with big banks and little regulation: Cuba, South America, Taiwan, Vietnam, Laos etc..

    All those and more have the same level of infrastructure and regulation.

Comments are closed.