Skip to content

How cyber criminals targeted almost $1bn in Bangladesh Bank heist

March 20, 2016

The printer failure that greeted Jubair Bin Huda, joint director for accounts at Bangladesh’s central bank, when he went to its Dhaka headquarters one morning last month was frustrating but not particularly alarming.

Friday February 5 was the start of the weekend in this predominantly Muslim country and — not for the first time — the printer in the secure transactions room was faulty. That meant he could not collect the usual list of the previous day’s transactions.

The next day, Mr Bin Huda and colleagues went to the office again and found they could not open the Swift financial transaction system. In a report filed this week at a Dhaka police station, he said the system “was giving a notification on the monitor: ‘A file is missing or changed’.”

Clearly, something was wrong. Yet it took a further two days for it to dawn on Bangladesh Bank that it had been the victim of one of the most successful bank robberies in history, in which cyber thieves netted $81m after executing a series of transactions via the New York Federal Reserve to accounts in Sri Lanka and the Philippines.

Bank officials say that once they noticed the transactions, they issued stop orders to the Fed and Rizal Commercial Banking Corporation (RCBC) in Manila, US intermediaries Citi, Bank of New York Mellon and Wells Fargo, and Sri Lanka’s Pan Asia Banking Corporation. But they were too late.

The cyber heist has sent tremors around the world among banks and large corporations that keep big balances in their accounts to pay millions of dollars to suppliers and staff.

When they finally gained access to their computers and printers on February 6, Mr Bin Huda and his staff found a series of messages from the New York Fed, where Bangladesh, like many nations, holds part of its foreign exchange holdings. The messages queried dozens of transfers apparently executed by Bangladesh Bank on Thursday February 4 through the Swift system and destined for accounts in third countries.

Five of the mysterious orders, worth $101m, had been carried out. Some $20m of the money was sent to one account in the name of a non-governmental organisation in Sri Lanka — although that amount was eventually recovered, apparently because an intermediary bank had queried the misspelling of “Foundation” as “Fandation” in the beneficiary’s name.

A further $81m went to four accounts in the Philippines, purportedly for payments in relation to Bangladeshi infrastructure projects, including bridges, a power station and the Dhaka metro. That money then disappeared into the casino industry and has yet to be recovered.

351ca6e4-ed1c-11e5-bb79-2303682345c8.img

For reasons as yet unknown, the Fed in New York did not carry out a further 30 transfers ordered by the thieves who — according to Bangladesh Bank officials — had somehow inserted malicious software known as malware into the central bank’s computer systems, probably as far back as January. If all those orders had been carried out, Bangladesh Bank could have lost $951m.

Sunday February 7, the start of the week in Bangladesh, was not a working day for banks in the US, and the Bangladeshis failed to reach their New York counterparts despite trying to communicate by email, fax and telephone on Saturday and Sunday. Monday February 8, furthermore, was a holiday for the Chinese new year in the Philippines, where many business people are of Chinese origin.

“We were scared,” said one senior Bangladesh Bank official with knowledge of the events. “The picture was not clear. We did not know how much money went out.”

It was not until the end of February that the scandal became public, and it was only this Tuesday that Atiur Rahman, Bangladesh Bank governor, resigned to take responsibility, as AMA Muhith, finance minister, fulminated about how “very incompetent” the central bank had been. Two of Mr Rahman’s deputies, Nazneen Sultana and Mohammed Abul Quasem, were fired.

In both Bangladesh and the Philippines, politicians and government officials are furious at the bankers for failing to stop the crime. Emmanuel Dooc, a lawyer for the Anti-Money Laundering Council (AMLC) in the Philippines, said the country urgently needed regulatory reform. “The lesson we learnt from this is unmistakable . . . There are gaping holes in our laws.”

Bankers, governments, corporate chief executives and cyber security experts are now eager to know how the thieves successfully executed such a large theft from what should have been a secure sovereign account belonging to one of the world’s poorest countries.

af78753c-ecf7-11e5-bb79-2303682345c8.img

The culprits are likely to have started planning the operation more than a year ago. The four Manila accounts to which the New York Fed transferred the money were opened in May 2015. They were not used until the Bangladeshi money was transmitted last month, and investigators now say the driving licences used as identity documents to open those four accounts were fake.

Investigators trying to follow the money lost the trail in the casinos, where they say the cash was laundered, it emerged this week at a formal probe into the scam launched by the Senate of the Philippines.

According to Julia Bacay Abad of the AMLC, the money made its way into four accounts with RCBC on Jupiter Street in Metro Manila’s Makati business district on February 5 — the same day that Mr Bin Huda 3,400km away in Dhaka found the printer not working at the Bangladesh central bank.

Over the following week, Ms Abad said, the funds were transferred to an account under the name of William So Go and to Philrem, a money remittance company, and then into the Philippines’ burgeoning casino industry.

About $29m made its way into accounts held by Bloomberry Resorts and $21m to Eastern Hawaii Leisure Company, with another $31m delivered in cash by Philrem to an individual by the name of Weikang Xu, described by one Bloomberry representative as a “junket agent” organising trips for gamblers. “Our money trail ended there — at the casinos,” concluded Ms Abad.

At Tuesday’s hearing, the spotlight fell on Maia Santos Deguito, manager of the Jupiter Street branch of RCBC, who opened the Go dollar account and arranged transfers from it, but she invoked her right to silence at the hearing to avoid any self-incrimination. The closed-circuit television cameras at the branch were out of order for the crucial days between February 4 and 9.

A total of 44 bank accounts in the Philippines have now been frozen in connection with the case.

All down the chain, from Dhaka through New York to the Philippines, bankers and technology providers have denied fault in executing what a Bangladesh Bank official called the “mis-instructions” to send millions of dollars to the wrong people.

Swift said it was working with Bangladesh Bank “to resolve an internal operational issue at the central bank” and denied its own network had been compromised.

The New York Fed said there was no evidence that anyone had attempted to penetrate its systems in connection with the payments, or that Fed systems were compromised. “The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols,” it said.

However, officials did confirm that the Fed had blocked 30 of the 35 transactions ordered and that there was an “ongoing investigation”, but would not say what had aroused the Fed’s suspicions. On the five that succeeded, one official said: “We heard it looks like somebody got their hands on these access codes, they were correct and they went through . . . Bangladesh is trying to find out if it was an inside job.”

Citibank, Bank of New York Mellon and Wells Fargo all declined to comment.

Lorenzo Tan, chief executive of RCBC, said his bank vehemently denied “any and all knowledge, complicity or participation in the alleged money laundering of $100m in the Philippines”. Mr Go, meanwhile, denies ever opening the relevant account with RCBC. Silverio Benny Tan of Bloomberry said the receipt of millions of dollars was not questioned by the casino operator. “It was Chinese new year,” he said. “So the expectation was for more play, so it was not unusual.”

Yet the origins of the disaster lie at the Bangladesh end of the transactions, where unknown cybercriminals managed to plant malware in the computer systems. According to Bangladesh Bank officials, the malware cloned legitimate transactions and then orchestrated the 35 fake money transfer orders.

cf09ba3a-ed30-11e5-bb79-2303682345c8.img

At least two groups of external information technology experts are now working on the problem at Bangladesh Bank headquarters, including Mandiant, a unit of cyber security group FireEye .

FireEye has so far refused to comment on the case, but said such cyber attacks were particularly common in Asia. “In the second half of 2015, 27 per cent of our customers in the Asia Pacific faced an advanced attack. The global average is 15 per cent.”

IT experts say Bangladesh Bank could have fallen victim to “email spearfishing”, where criminals study the lives and working habits of their targets and then send them a link or an attachment which, when opened, gives criminals control of a computer without the target knowing. If such an internet-connected computer was linked even indirectly to the bank’s payments system, it could have introduced the malware to carry out the attack. “If I look across Asia, most organisations have no real defence against this,” said Bryce Boland, FireEye’s chief technology officer for Asia-Pacific.

The Swift system at banks is very secure: it uses a “smart card” containing a unique digital key inserted into a special machine, and a complex authentication process. But the successful theft shows that in Bangladesh Bank’s case the process was not impenetrable.

“There’s a lot of ways that you can steal money from a bank. The easiest way is to create a completely legitimate transfer and change the counterparties,” Mr Boland said. “Yes, it’s absolutely possible to attack multi-factor authentication. We’ve seen malware for a number of years developed specifically to intercept the pass phrases that are used to unlock smart cards.”

Bangladesh, including its government institutions and its banking system, is notoriously corrupt and prone to bank frauds, and neither the Bangladeshis nor the Fed have ruled out the possibility the hackers were assisted by someone on the inside. “Our experts and forensic firms, they are still thinking it’s a matter of investigation whether somebody from here was associated with it or not,” said Razee Hassan, one of the two remaining deputy governors at the central bank.

But there is so far no evidence of an insider, nor do cyber security experts think such a person would have been essential for a crime that could have been committed from outside by sophisticated criminal hackers from eastern Europe or elsewhere.

One bone of contention between Bangladesh and the New York Fed is over the requirement — or not — for additional authentication on top of the automated Swift transmissions. Such operational procedures vary from bank to bank.

According to the Bangladeshis, the Fed queried some of the $101m of transactions but went ahead with them anyway without receiving a response from Dhaka. “Since they have asked for your opinion, they should have waited for that,” said one Bangladesh Bank official. “The Fed could have been a bit patient.”

According to the same official, this has put the Fed “on the back foot”. Mr Muhith, the finance minister, has threatened to file a case against the New York Fed, whose officials “cannot avoid their responsibility in any way”, he said.

In the private sector, there is some sympathy for the Bangladesh complaint. “Although the New York Fed is saying ‘we followed the protocols’, were they the right protocols?” asked one international investor and financier with interests in Bangladesh. “Shouldn’t there be a phone call?” The Fed, however, insists the transactions were duly authenticated via Swift.

With the criminals and the ultimate destination of the stolen money still unidentified, the theft has left Bangladesh taxpayers short of $81m, demoralised staff at the country’s central bank and embarrassed the Philippines by exposing the inadequacies of its banking supervision.

In interviews and meetings with friends, the 64-year-old Mr Rahman — hurriedly replaced as governor by Fazle Kabir, chairman of state-owned Sonali Bank — likened the theft to a “militant attack” and an “earthquake” and described it as “shocking”.

The crime has indeed sent shockwaves across Asia and the world, where other central banks are hastily re-examining their payment procedures and cyber security.

“If you look at banks around the world, and definitely here in Asia, they are basically facing increasingly sophisticated cyber attacks,” said Mr Boland.

The only consolation for Bangladesh is that the theft could have been 10 times worse, netting the robbers nearly $1bn if all the fraudulent transactions, instead of just five, had been successfully processed. “It’s fortunate that all the 35 were not passed,” said one Bangladesh Bank official.

Even so, it is only a matter of time before cyber thieves strike again. “Criminal groups are looking at this and thinking, ‘these guys made $100m’,” said the international investor in Dhaka. “It’s a wake-up call.”

By Victor Mallet in Dhaka and Avantika Chilkoti in Jakarta – FT link.
Additional reporting by Ben McLannahan, Kara Scannell and Alistair Gray

The heist: key moments

15 May 2015
Four accounts opened with false identities at RCBC branch in Manila.

Around January 2016
Malware introduced into Bangladesh Bank computer network.

February 4
Bangladesh Bank’s computers order 35 transfers via Swift from central bank branch at New York Fed, to a total value of $951m. Fed executes five — one to Sri Lanka and four to the Philippines, with a value of $101m. Spelling error in Sri Lankan account name stops transaction and $20m is recovered.

February 5
About $81m deposited into the Philippine accounts. A dollar account is opened at RCBC in the name of William So Go, who denies involvement. Funds transferred via that account and via Philrem, a remittance company, to a series of accounts linked to Philippine casinos.

February 8
Bangladesh Bank issues stop orders to New York Fed, RCBC in Manila, US banks Citi, Bank of New York Mellon and Wells Fargo, and Sri Lanka’s Pan Asia Banking Corporation.

February 11
Philippines central bank governor receives call from Bangladesh counterpart Atiur Rahman requesting help to trace and freeze stolen funds.

February 29
Philippine Court of Appeal petitioned to freeze the four RCBC accounts that initially received funds, as well as the accounts of Eastern Hawaii; Kam Sin Wong, one of the signatories to the account of Eastern Hawaii; Mr Go, and his Centurytex Trading business. Story of the scam broken by the Philippine Daily Inquirer.

March 15
Mr Rahman resigns as Bangladesh Bank governor and two of his deputies are fired. Details of Philippine end of the story divulged in Senate hearing in Manila. Hearing continues on March 17.

Sources: Anti-Money Laundering Council, Philippines; Bangladesh Bank executives and their official police report of the crime; Philippine Senate hearing.

at Financial Express Bangladesh – FT Syndication Service

Image (83)

Image (84)

Image (86)

//platform.twitter.com/widgets.js

//platform.twitter.com/widgets.js

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: