DHAKA (Reuters) - Investigators suspect unknown hackers installed malware in the Bangladesh central bank’s computer systems and watched, probably for weeks, for how to go about withdrawing money from its U.S. account, two bank officials briefed on the matter said on Friday.
More than a month after hackers breached Bangladesh Bank’s systems and attempted to steal nearly $1 billion from its account at the Federal Reserve Bank of New York, cyber security experts are trying to find out how the hackers got in.
FireEye Inc’s Mandiant forensics division is helping investigate the cyber heist, which netted hackers more than $80 million before it was uncovered.
The hackers appeared to have stolen Bangladesh Bank’s credentials for the SWIFT messaging system, which banks around the world use for secure financial communication.
In a statement Friday, Belgium-based SWIFT said: “SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank. SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.”
Banks and other businesses are eager to learn more about how the central bank was compromised so they can review their own networks for signs that they are vulnerable to similar attacks or might already have been breached, security professionals and bank executives told Reuters.
The incident could prompt central banks worldwide to beef up security and regulate financial institutions more tightly to prevent similar attacks, said Aviv Raff, chief technology officer with the cyber security firm Seculert.
“If banks are not better regulated this will for sure happen again,” said Raff.
Investigators suspect that malicious software code, often referred to as malware, which allowed hackers to learn how to withdraw the money could have been installed several weeks before the incident, which took place between Feb. 4 and Feb. 5, said Bangladesh Bank officials briefed on the matter.
Investigators believe the attack was sophisticated, describing the use of a “zero day” and referring to an “advanced persistent threat,” the officials said.
A zero day is a vulnerability in software that has yet to be identified or patched. This makes it easier for hackers to infect a targeted computer without the victim’s knowledge, even if it is protected with security software.
Advanced persistent threat refers to long-term attacks where hackers remain inside a network for months or even years.
Security experts said they hope samples of the malware will be made available to researchers so they can determine whether they are truly advanced, or if Bangladesh Bank’s security protections were not strong enough to block the attack.
“The next piece of the puzzle that will likely emerge is a sample of the malware and/or if a true zero-day vulnerability was used,” said Jeff Wichman, a consultant with cyber security firm Optiv.
The Bangladesh Bank officials acknowledged weaknesses in their systems and said it could take two years or more to repair the problems.
Wichman said he suspects one of the tools was a customised version of a common piece of malware known as a Remote Access Trojan, or RAT, which gives attackers the ability to gain remote control of a victim’s computer.
So far investigators have not found any proof that central bank staff in Bangladesh were involved, one of the officials said, but said the probe was continuing.
Security experts say that if insiders were not involved, the attackers likely had assistance from somebody close to the banking industry. They also may have spied on bank workers over an extended period to gain details about wire-transfer processes and other operations, they said.
“It takes somebody with deep knowledge of the banking industry to perform these types of crime,” said Shane Shook, a security consultant who has investigated some of the biggest cyber breaches on record.
The New York Fed, which provides banking services to some 250 central banks and other institutions, has said its systems were not compromised.
The Bangladesh central bank had billions of dollars in its current account, which it used for international settlements, officials have said. The stolen money made its way to various parts of the world.
Some $80 million are believed to have ended in the Philippines, and further diverted to casinos and then to Hong Kong, according to bank officials. One $20 million transaction was directed to a non-profit organization in Sri Lanka.
But the unusually large transaction for the island nation and a misspelling of the NGO’s name raised red flags that helped bring the robbery to light. The transaction was blocked as was another huge payment instruction that was for between $850 million and $870 million.
Writing by Paritosh Bansal. Additional reporting by Jim Finkle in Boston; Editing by Jeremy Wagstaff, Raju Gopalakrishnan, Jonathan Weber and Chizu Nomiyama