Over $US80 million (£57 million) has been stolen from Bangladesh's central bank. The breach, committed early last month but disclosed just a few days ago, saw millions transferred from the Bangladeshi state's account in the New York Federal Reserve Bank (NYFRB) to casinos in the Philippines and elsewhere.
The theft was committed on 4 February, when malware made dozens of transfer orders to the NYFRB from the Bangladeshi state's account to private accounts in the Philippines and Sri Lanka.
To pull off the robbery, the attackers apparently learned a great deal about the internal workings of the bank and obtained authorised credentials to disguise the transfer of funds.
The malware did more than steal funds, it destroyed the systems which it infected thus disabling the ability to make transfer orders.
According to the Ministry of Finance, recovery of the funds could take a while although nearly £50,000 was frozen by the Philippines and some of the money was also recovered from Sri Lanka.
In reality that large sum is only a fraction of what the attackers really tried to steal. The bank told the public on social media that the attackers made 35 separate requests from the bank's account in the NYFRB which could have reached as high as £700 million. It was a spelling mistake coupled with the number of requests made that alerted the relevant bodies to the theft.
“The fact that the hackers made it as far into the system as they did is unacceptable”, James Romer, EMEA chief security architect at SecureAuth told SCMagazineUK.com. “The perpetrators of this cyber-crime should have been stopped much sooner than they were, and it shouldn't have been because they made a spelling mistake. One can only imagine how much more damage they could have done if it weren't for this mistake on their part.”
Justin Harvey, CSO at Fidelis Cybersecurity, told SC, “Spelling mistakes and an unusual amount of activity are tell-tale signs that something untoward is going on and it begs the question whether these were the first slip ups of the cyber-criminals.
"This latest hack is a clear reminder that compliance and adhering to banking regulations isn't enough. Multi-layer security needs to be implemented, regularly updated and sophisticated monitoring solutions need to be in place to flag and – if necessary – quarantine suspicious behaviour. At least the Federal Reserve Bank of New York's provisions seemed to have saved the full £1 billion from being stolen.”
The Bangladeshi government has announced its intention to sue the NYFRB. Meanwhile, the bank maintains that its systems were not breached and it is thus not liable. The bank followed up with a tweet:
Regarding hacking reports, there is no evidence of attempts to penetrate Federal Reserve systems & no evidence Fed systems were compromised.— New York Fed News (@NYFed_News) March 7, 2016
In the wake of the embarrassing heist, which is being called one of the biggest in history, the Bangladesh central bank's director Atiur Rahman has resigned
A contributing factor to his resignation may have been that though the money was stolen in February, Rahman did not tell his bosses in the Bangladeshi government. In fact, Bangladesh's finance minister A M A Muhith told press that he only found out about the theft from the news media.