Hackers bugged BB system in Jan

Hackers installed malicious software into the Bangladesh Bank system in January, which helped them gain knowledge of the central bank's working methods before stealing some $101 million.

The forensic investigation by the BB, launched soon after the February 4 digital heist, detected the presence of the malware, said finance ministry and BB officials.

The malware is so powerful that it could gather information about the BB operations on international payment and fund transfers.

The malware is even believed to have destroyed evidence on the Bangladesh side of the hacking, a BB official said, requesting anonymity citing the ongoing investigation.

It is not yet clear how the malware was installed into the BB system or where the hackers were when they sent the transfer orders to the New York Federal Reserve Bank, from where the money was stolen.

Malware is an umbrella term used to refer to a variety of forms of hostile or invasive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware and other malicious programmes.

The malware installed in the BB system copied the information on how payment order was made in recent months and sent the information to the hackers. 

Using the information, the hackers chose an opportune moment and stole credentials for payment transfers and then ordered transfers out of the New York Fed account held by the BB.

The hackers chose the weekend in four countries to break into the BB system. The weekly two-day bank holiday in Bangladesh starts at Thursday midnight and a day later in the US, the Philippines and Sri Lanka. Knowing that there would be no mutual correspondence immediately, the hackers sent the fake payment orders around the midnight on February 4, a Thursday in Bangladesh.  

About $1 billion of the BB reserves is kept in a current account with the Fed. The money is meant to make government payments against debts and consultancy fees for development projects.  

The hackers attempted to steal all of it, but failed although they made it seem like real transfer orders using names of genuine projects, donors and authorities.

Of the $101 million stolen, $81 million was wired to two banks in the Philippines. The rest $20 million was sent to a bank in Sri Lanka in favour of an NGO, whose account was opened just a month ago, according to the BB.

The sum that ended up in Sri Lanka has been retrieved, as the money was not disbursed because the NGO's name was wrongly spelled in the transfer order, BB officials said.

According to the Philippines Daily Inquirer, it appeared that a $25-million transaction was ordered by the BB on behalf of the government's Kanchpur, Meghna and Gumti second bridges construction projects.

The amount was remitted to the account of Enrico Teodoro Vasquez, one of the beneficiaries, purportedly for the payment of a “loan” from the Japan International Cooperation Agency (Jica).

A payment for $30 million to Jessie Christopher Lagrosas, an IT professional and a beneficiary, likewise under a Jica “loan,” was supposedly ordered by the BB on behalf of Dhaka Mass Rapid Transit project.

A further $6-million payment order on behalf of an IPFF project cell was supposedly to pay for another beneficiary Michael Francisco Cruz's consultancy fees. Another payment worth $19 million was supposedly from Bheramara combined cycle power plant development project with Alfred Santos Vergara as beneficiary.

Based on documents, officials of the Rizal Commercial Banking Corporation (RCBC) of the Philippines had no reason to doubt the validity of the remittance from Bangladesh. The branch manager also cited several superiors attesting to the validity of the transactions, which -- on paper --were backed by underlying infrastructure projects in Bangladesh, reported the Inquirer.

The four beneficiaries opened US dollar bank accounts in the RCBC in May last year.

A central bank official yesterday confirmed that the names of the projects were indeed used.

To prevent further hacking, the BB is working to install a software programme that will try to neutralise the malware that penetrated the BB system.

The BB probe body believes that the hacking was orchestrated from outside the country. But as the hackers made the fund transfer orders in the name of existing projects, investigators are looking into whether any locals are also involved in the hacking, one of the biggest bank thefts in history. 

 “We are still in the middle of the investigations and are looking at both internal and external engagements. So, it is hard to rule out anything,” said Rakesh Asthana, a cyber security expert working for the BB, and a former director of the World Bank's IT department, on Wednesday.

Based on the findings, the government would proceed to nab the local perpetrators, if any, and would seek help from foreign intelligence to take legal steps against foreign hackers.

On February 16, BB Governor Atiur Rahman wrote to his Filipino counterpart Amando Tetangco Jr, saying the February 4 SWIFT payment instructions issued in favour of the RCBC were fake.

In addition to stealing credentials for processing transfers, the hackers may have spied on Bangladesh Bank staff to get a deeper understanding of the central bank's operations, according to experts in banking fraud.

Kayvan Alikhani, a senior director with US security firm RSA, said that in addition to user names and passwords for accessing SWIFT, the hackers possibly needed to obtain cryptographic keys that authenticated the senders.

Such certificates can be copied and used by impostors if those are not properly secured, he told Reuters.

They siphoned the money through SWIFT after observing how bank employees crafted their messages so they could follow correct protocols, said Juan Guerrero, a researcher with Kaspersky Lab.

Questions have been raised on how the fraudulent orders slipped through the US financial system as the transactions involved the New York Fed and US correspondent banks Citibank, the Bank of New York Mellon and Wells Fargo Bank.

CHANGES IN TRANSFER ORDER

In the wake of the cyber attack, the BB has changed the payment order mechanism. The central bank is not relying only on the SWIFT, a system that banks use for fund transfer requests and other secure messages.

While making a fund transfer order involving a significant amount of money, the BB would use verbal advice along with the existing SWIFT service, the BB has informed the New York Fed.

The BB is working with the Belgium-based SWIFT authorities for making the service more secure, said a central banker.

The official said the BB would take assistance from the World Bank and an agency of the US to bring back money from the Philippines.

The primary discussion with them is underway, he said.

TIMELINE

May 15, 2015
A money laundering syndicate opens four US dollar bank accounts with the Rizal Commercial Banking Corp (RCBC) with an initial deposit of $500 each. The accounts were untouched until Feb 4, 2016.

Feb 4, 2016
Some $81 million from BB account with the Federal Reserve Bank of New York was  transferred to the 4 RCBC accounts

Feb 5 to 13
The funds were converted into pesos in various tranches to the bank accounts of Chinese national Weikang Xu, Eastern Hawaii Leisure Co and Bloomberry Hotels Inc (Solaire Resorts).

Feb 8 (Chinese New Year)
The BB requested the RCBC to stop payment and refund the funds, and if the funds had been transferred, to “freeze or put the funds on hold,” noting that the payment order was fraudulent. However, this was a nonworking holiday in the Philippines.

Feb 9
The RCBC received a Swift message from the BB requesting to stop payment and freeze the accounts for proper investigation. However, withdrawals from the accounts totalling $58.15 million had already been processed by the Jupiter Street branch of the RCBC. 

Feb 16:
BB governor sought the assistance of his Philippine counterpart, regarding the loss of $81 million. The BB said the Feb 4 Swift payment instructions issued in favour of the RCBC were “fraudulent.”

Feb 19
 The Philippines' Anti-Money Laundering Council starts probe of bank accounts relating to Weikang Xu (believed to be a junket operator), Eastern Hawaii Leisure Company and Solaire Resorts.