The Bangladesh Job part II: the gang strikes again

News by Max Metzger

According to Swift the fingerprints of those behind February's £56 million heist from the Bangladesh Central Bank have been found on another attempted heist.

The Bangladeshi bank stick-up men have struck again according to financial messaging service, Swift. The company has discovered malware similar to that used to steal £56 million from the Bangladesh central bank in February 2016, used on another commercial bank.

It is not yet know where this affected bank is, or if anything was stolen using the malware. The forensic examination, however, showed up some telling similarities with the previous case.

Much like the February Bangladesh job, the gang exploited the fund transfer initiation environments, bypassing the frontline security controls the bank used.

The malware targets the banks' secondary controls, in this case a PDF reader used to check statements, so the victims aren't told of the theft until as late as possible.

Swift don't believe this latest heist is the end of the campaign of high profile thefts. A Swift spokesperson wrote in a statement: “Forensic experts believe this new discovery evidences that the malware used in the earlier reported customer incident was not a single occurrence, but part of a wider and highly adaptive campaign targeting banks.”

Swift declined to comment to SC beyond its initial statement.

February's heist saw the stolen million transferred from Bangladesh Central Bank's account at the New York Federal Reserve Bank in the US to casinos in the Philippines and elsewhere. 

The £56 million that was eventually stolen is only a fraction of what the attackers really tried to steal. The bank told the public on social media that the attackers made 35 separate requests from the bank's account in the NYFRB which could have reached as high as £700 million. It was a spelling mistake coupled with the number of requests made that alerted the relevant bodies to the theft.

The guilty parties were never found and there is as yet no information on who may have pulled this heist off.

Matt Middleton-Leal, regional director of UK & Ireland at CyberArk, told, “From a cyber-security perspective, whether this latest breach was caused by hackers, insiders or a combination of the two is irrelevant to a degree."

“What matters is that, with attention and budget spend on security often too focused on the perimeter defences, big blind spots obscure what's happening inside the network. If hackers can move around somewhat freely once inside, sussing out how to circumvent transactional checks and balances and getting higher levels of enhanced access to the keys to the kingdom, then what you have spent to secure your network is wasted.”

Middleton-Leal added, “As we saw in the Bangladesh heist, a simple thing like gaining control of a printer to make sure staff didn't see fraudulent transactions meant the attack went undetected until it was too late.”

Matthias Maier, security evangelist at Splunk, told SC, “The second cyber-attack revealed by Swift in as many months is a wake-up call for banks across the globe. These are not isolated incidents. Serious investigations must follow given the custom built nature of the malware used in these attacks. It appears to have been created by someone with an intimate knowledge of how the Swift software works as well as its business processes, which is cause for concern.”

However, added Maier, “Basic system monitoring at the bank would have stopped this at the server endpoint by tracking system changes in real time, triggering alerts to analysts.” 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews