BB Cyber Heist: Malware sent to BB network thru' emails

It looked like any other email job-seekers send. The sender Rasel Ahlam attached a cover letter and a resume apparently hoping for a call for a personal interview.

But it was not what it seemed. Here, the prospective employer was the central bank of Bangladesh and the email was part of a wide ranging and multi-year conspiracy aimed at stealing $1 billion from the Bangladesh Bank's US dollars account with the Federal Reserve Bank of New York.

Three years into the heist in February 2016, the BB will file a case on Wednesday in New York to recover the $81 million it lost -- the biggest cyber crime in history.

The targeting of banks in Bangladesh by hackers began in October 7 and 8 in 2014, before the attack on Sony Pictures Entertainment became overt and more than a year before the cyber-heist at the BB, according to a criminal complaint of the US Federal Bureau of Investigation (FBI) filed with the United States District Court in California last year.

The FBI's investigation, including its analysis and examination of digital devices and electronic evidence received from the BB identified four Google accounts used to target and infiltrate the BB: watsonhenny@gmail.com, yardgen@gmail.com, and two accounts connected to them, rasel.aflam@gmail.com and rsaflam8808@gmail.com. The spear-phishing emails from each of those four accounts were nearly identical.

The links in the emails may have hosted the malware that allowed the senders to gain initial access to the computer network of the BB, the FBI complaint said.

A hacker using yardgen@gmail.com sent 10 emails to 16 different employees of the BB on January 29, 2015. Each of those messages purportedly sought an employment opportunity. In the emails, a link was included, which appeared to contain a résumé.

On February 23, 2015, yardgen@gmail.com sent two emails to 10 recipients at the BB, which were identical, except that the “linked” text displayed only “Resum.zip” (but if clicked, it would take the computer to the same URL or website).

Between January 29 and February 24, 2015, at least three BB computers had attempted to download the file from the link sent by yardgen@gmail.com, the FBI mentioned.

The investigation found evidence that the subjects were successful in causing recipients at the BB to download the payload from their spear-phishing emails.

In March 2015, the subjects had moved within the BB network and had saved a malware capable of performing file transfers, creating .zip archives, and executing certain files. It had three IP addresses programmed into it.

Nearly a year later, on January 29, 2016, days before the fraudulent transfers were made, the subjects engaged in a number of lateral movements throughout the network. One of those moves was to the BB's SWIFTLIVE system. That system was the core component of the BB's SWIFT processing environment. It used the SWIFT Alliance Access application, which was a customer-managed gateway to the SWIFT network that transmitted and received messages from other banks that create and confirm financial transactions. As the application received SWIFT messages, it would record local copies of the messages, including by formatting and printing those messages to files or a printer and by entering information associated with them in a separate database.

As the hackers tried to move onto the BB computer hosting the SWIFTLIVE system, they made at least four attempts to log-in to it. The subjects had successfully deleted some evidence of their attempts to log-in to the BB's SWIFTLIVE system, but left some evidence that was later found during the forensic examination. 

BB CASE

A three-member team from the central bank left Dhaka early yesterday for New York. Officials hope that the case will be disposed of in two to three years. A lawyer from London will join the BB team in the US.

A BB official familiar with the proceedings said the reason for the delay in filing the case was that the government was hoping to retrieve the amount with assistance from the government of the Philippines.

“We later realised that the Filipino court would take a while and we would miss the chance to file a case with the New York court,” the official added.

Money laundering cases have to be filed within three years of the crime being committed, according to US laws.

If it is proven in the New York court that the foreign hackers were involved in the heist and the Rizal Commercial Banking Corporation in Manila assisted them, the untraced money may be returned, the BB official said.

“So, we are going to file a damage claim with the NY court.”

On February 4, 2016, hackers broke into BB's systems and generated 70 fake payment orders for the Federal Reserve Bank of New York to draw about $1.94 billion.

While the NY Fed's security system flagged the payment orders, five of them fell through and $101 million was released. Finally, $81 million was wired to RCBC's branch in Manila, while $20 million landed in Sri Lanka.

Sri Lanka sent back the entire sum immediately after the heist was exposed, while the Philippines sent back $14.54 million in November 2016 -- meaning $66.46 million is yet to be retrieved from the Philippines. A number of cases involving a major portion of the fund are pending with courts in the Philippines.