Bangladesh Bank Loses 80 Million USD
…with a $10 router
…and NO firewall
…We’re NOT making this up…
The Bangladesh’s Central Bank was hacked in February 2016 that stole $80 million (they tried for $951 million) seems to be due to the SWIFT software being compromised or exploited. The Guardian reported that SWIFT has warned its customers that they are aware of a number of recent cyber incidents. The attack was thwarted while attempting to get the $951 million (in 30 transactions) after $101 million was withdrawn from the Federal Reserve Bank of New York; $20 million was recouped from Sri Lanka, the remaining $81 million was sent to the Philippines – the remaining transactions were detected and cancelled.
“SWIFT said Monday that its network and core messaging services had not been compromised.” CNN Money
As a matter of clever timing, a stop payment was placed on the funds in the Philippines, but banks are closed on Chinese New Year and the message was received a “day late and a DOLLAR short.” The funds going to Sri Lanka were only intercepted because the word “foundation” was misspelled as “fandation” prompting officials to verify the transaction. If it was not for a typo, then the hackers could have gotten away with almost $1 billion. Ars Technica added that the money was sent to the Philippines held by two Chinese nationals who organize gambling junkets in Macau and the Philippines. It was then moved to several Philippine casinos and then international bank accounts. The investigation was completed by British defense contractor BAE Systems.
Bangladesh investigators said the bank was lacking in proper security measures when it was found that they lacked a firewall and were using $10 routers or switches (sources vary) in its networks according to Reuters. Adrian Nish, BAE’s head of threat intelligence said “The malware was designed to make a slight change to code of the Access Alliance software installed at Bangladesh Bank, giving attackers the ability to modify a database that logged the bank’s activity over the SWIFT network.”
The Bangladesh bank hasn’t commented on the finding by BAE Systems. Bangladesh police are continuing to investigate the matter.
I cannot stress Cybersecurity best practices enough. This is as a result of one of two scenarios: negligence or ignorance. It could be both. In either case, they probably thought it would not happen to them. It obviously did. The negligence aspect deals with knowing that not having a firewall and using an inexpensive (likely home grade) routing device would not protect the network and infrastructure. This could be from arrogance as well. I would venture to say there is little to no (or outdated) antivirus software, minimal security policies (enough to satisfy any regulatory compliance), and probably little employee training. This could also be the result of management ignoring IT staff and seeing it as a cost center, as many organizations often do. Although doubtful, ignorance deals with an IT staff that reasonably thought that they were doing enough to protect A BANK! How could someone think this is okay? I cannot fathom this. I digress.
Per CSO Online, all this was made possible through the using exploit to exploit the trust relationship between the SWIFT software and the banks using it. If the Target cyber attack taught us anything, it should be trust should never be inherited. Analysis and controls should always be in place to prevent an attacker from pivoting from an organization with weak security (Bangladesh Bank; the HVAC contractor with Target) to the more secure target with the trust relationship (Federal Reserve Bank of New York or Target). Note: I understand that Target was not necessarily the more secure target in the Target data breach. Man, that’s a lot of Targets. I am using this to illustrate it with the subject attack in relatable terms.
“According to investigators, one factor that contributed to the success of the attack against Bangladesh’s central bank was the lack of proper segmentation between the bank’s SWIFT systems and the rest of its network.” CSO Online
Dark Reading says that SWIFT is not without blame, the Bangladeshi Police are officially stating that both the bank and SWIFT were deficient in their security practices. Tech Radar believes this to be the tip of the iceberg, I agree with both sentiments. This is a worldwide issue that exploits a fundamental (not fandemental) weakness in international commerce. This shows that there is a simple trust relationship to exploit and that pivoting is limitless. The only step required is to compromise an institution that uses SWIFT. Depending on the location, this could be simple or it could be like breaking into Fort Knox.
Sometimes the target is not “the target.” The target we see could be a stepping stone to the bigger target with more devastation. While I know that regulatory compliance does not equal security and vice versa, I think it is time for a worldwide banking security standard, like PCI. PCI is only applicable to payment (credit or debit) card data and does not cover the other systems used for wiring and other transfers. In the United States, we have Gramm-Leach-Bliley Act (GLBA) of 1999. PCI is only worldwide because of the majority of the industry making it happen because they were tired of losing money from payment card data breaches and liability.
We will continue to monitor this and other similar attacks to assess a trend.
Other APS Posts
Ransomware Infects Android 4.x
Spotify Allegedly Hacked…Again
MedStar Health Cybersecurity Fails to Prevent Attack
Adobe Patches Exploited Vulnerability
Ransomware Locks MBR
Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
Google Fixes Kernel Vulnerability
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
IRS Targeted in Another Cyberattack
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.