The Bangladesh Bank robbery, also known colloquially as the Bangladesh Bank cyber heist, took place in February 2016, when thirty-five fraudulent instructions were issued by security hackers via the SWIFT network to withdraw close to US$1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank, the central bank of Bangladesh. Five of the thirty-five instructions were successful in transferring $101 million, with $20 million traced to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of New York blocked the remaining thirty transactions, amounting to $850 million, due to suspicions raised by a misspelled instruction. All the money transferred to Sri Lanka has since been recovered. However, as of 2018 only around $18 million of the $81 million transferred to the Philippines has been recovered. It was later suspected that Dridex malware was used for the attack.
A Reuters report attributed the robbery to oversights and failures by Bangladesh Bank, the Federal Reserve Bank of New York, as well as the Rizal Commercial Banking Corporation (RCBC) in the Philippines.
The 2016 cyber-attack on the Bangladesh central bank was not the first attack of its kind. In 2013, the Sonali Bank of Bangladesh was also successfully targeted by hackers who were able to remove US$250,000.
In both cases, the perpetrators were suspected to have been aided by insiders within the targeted banks, who assisted in taking advantage of weaknesses in the banks' access to the SWIFT global payment network.
Capitalizing on weaknesses in the security of the Bangladesh central bank, including the possible involvement of some of its employees, perpetrators attempted to steal $951 million from the Bangladesh central bank's account with the Federal Reserve Bank of New York sometime between February 4–5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers. They used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account Bangladesh Bank held there to accounts in Sri Lanka and the Philippines.
Thirty transactions worth $851 million were flagged by the banking system for staff review, but five requests were granted; $20 million to Sri Lanka (later recovered), and $81 million lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and some later transferred to Hong Kong.
The $20 million transfer to Sri Lanka was intended by hackers to be sent to the Shalika Foundation, a Sri Lanka-based private limited company. The hackers misspelled "Foundation" in their request to transfer the funds, spelling the word as "Fundation". This spelling error gained suspicion from Deutsche Bank, a routing bank which put a halt to the transaction in question after seeking clarifications from Bangladesh Bank.
Sri Lanka-based Pan Asia Bank initially took notice of the transaction, with one official noting the transaction as too big for a country like Sri Lanka. Pan Asia Bank was the one which referred the anomalous transaction to Deutsche Bank. The Sri Lankan funds have been recovered by Bangladesh Bank.
The money transferred to the Philippines was deposited in five separate accounts with the Rizal Commercial Banking Corporation (RCBC); the accounts were later found to be under fictitious identities. The funds were then transferred to a foreign exchange broker to be converted to Philippine pesos, returned to the RCBC and consolidated in an account of a Chinese-Filipino businessman; the conversion was made from February 5 to 13, 2016. It was also found that the four U.S. dollar accounts involved were opened at the RCBC as early as May 15, 2015, remaining untouched until February 4, 2016, the date the transfer from the Federal Reserve Bank of New York was made.
On February 8, 2016, during the Chinese New Year, Bangladesh Bank informed RCBC through SWIFT to stop the payment, refund the funds, and to "freeze and put the funds on hold" if the funds had already been transferred. Chinese New Year is a non-working holiday in the Philippines and a SWIFT message from Bangladesh Bank containing similar information was received by RCBC only a day later. By this time, a withdrawal amounting to about $58.15 million had already been processed by RCBC's Jupiter Street (in Makati City) branch.
On February 16, the Governor of Bangladesh Bank requested Bangko Sentral ng Pilipinas' assistance in the recovery of its $81 million funds, saying that the SWIFT payment instructions issued in favor of RCBC on February 4, 2016 were fraudulent.
Initially, Bangladesh Bank was uncertain if its system had been compromised. The governor of the central bank engaged World Informatix Cyber Security, a US-based firm, to lead the security incident response, vulnerability assessment and remediation. World Informatix Cyber Security brought in the forensic investigation company Mandiant, for the investigation. These investigators found "footprints" and malware of hackers, which suggested that the system had been breached. The investigators also said that the hackers were based outside Bangladesh. An internal investigation has been launched by Bangladesh Bank regarding the case.
The Bangladesh Bank's forensic investigation found out that malware was installed within the bank's system sometime in January 2016, and gathered information on the bank's operational procedures for international payments and fund transfers.
The investigation also looked into an unsolved 2013 hacking incident at the Sonali Bank, wherein US$250,000 was stolen by still unidentified hackers. According to reports, just as in the 2016 central bank hack, the theft also used fraudulent fund transfers using the SWIFT global payment network. The incident was treated by Bangladeshi police authorities as a cold-case until the suspiciously similar 2016 Bangladesh central bank robbery.
The Philippines' National Bureau of Investigation (NBI) launched a probe and looked into a Chinese-Filipino who allegedly played a key role in the money laundering of the illicit funds. The NBI is coordinating with relevant government agencies including the country's Anti-Money Laundering Council (AMLC). The AMLC started its investigation on February 19, 2016 of bank accounts linked to a junket operator. AMLC has filed a money laundering complaint before the Department of Justice against a RCBC branch manager and five unknown persons with fictitious names in connection with the case.
A Philippine Senate hearing was held on March 15, 2016, led by Senator Teofisto Guingona III, head of the Blue Ribbon Committee and Congressional Oversight Committee on the Anti-Money Laundering Act. A closed-door hearing was later held on March 17. Philippine Amusement and Gaming Corporation (PAGCOR) has also launched its own investigation. On August 12, 2016, RCBC was reported to have paid half of the Ph₱1 billion penalty imposed by the Central Bank of the Philippines. Prior to that, the bank reorganized its board of directors by increasing the number of independent directors to 7 from the previous 4.
FireEye's Mandiant forensics division and World Informatix Cyber Security, both US-based companies, investigated the hacking case. According to investigators, the perpetrators' familiarity with the internal procedures of Bangladesh Bank was probably gained by spying on its workers. In a separate report, the US Federal Bureau of Investigation (FBI) says that agents have found evidence pointing to at least one bank employee acting as an accomplice, with evidence pointing to several more people as possibly assisting hackers in navigating the Bangladesh Bank's computer system. The government of Bangladesh is considering suing the Federal Reserve Bank of New York in a bid to recover the stolen funds.
Federal prosecutors in the United States have revealed possible links between the government of North Korea and the theft. U.S. prosecutors are reportedly at work building potential cases that would accuse North Korea of directing the theft of $81 million from Bangladesh Bank's account at the Federal Reserve Bank of New York. The report also said that to be included in the charges are "alleged Chinese middlemen," who facilitated the transfer of the funds after it had been diverted to the Philippines.
Some security companies, including Symantec Corp. and BAE Systems, say that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, were probably behind the attack. They cite similarities between the methods used in the Bangladesh heist and those in other cases, such as the hack of Sony Pictures Entertainment in 2014, which U.S. officials also attributed to North Korea. Cybersecurity experts say Lazarus Group was also behind the WannaCry ransomware attack in May 2017 that infected hundreds of thousands of computers around the world.
Some or all of the stolen funds may eventually have found its way to North Korea. The FBI is examining the possible North Korea's link to the hack, according to two officials with direct knowledge of the investigation.
US National Security Agency Deputy Director Richard Ledgett was also quoted as saying that, “If that linkage from the Sony actors to the Bangladeshi bank actors is accurate—that means that a nation state is robbing banks."
The U.S. has charged a North Korean computer programmer with hacking the Bangladesh Bank, alleging this was carried out on behalf of the regime in Pyongyang. The same programmer has also been charged in connection with two other global cyber attacks, the WannaCry 2.0 virus, the 2014 Sony Pictures attack.
Computer security researchers have linked the theft to as many as eleven other attacks, and alleged that North Korea had a role in the attacks, which, if true, would be the first known incident of a state actor using cyberattacks to steal funds.
The Rizal Commercial Banking Corporation (RCBC) said it did not tolerate the illicit activity in the RCBC branch involved in the case. Lorenzo V. Tan, RCBC's president, said that the bank cooperated with the Anti-Money Laundering Council and the Bangko Sentral ng Pilipinas regarding the matter. Tan's legal counsel has asked the RCBC Jupiter Street branch manager to explain the alleged fake bank account that was used in the money laundering scam.
The RCBC's board committee also launched a separate probe into the bank's involvement in the money laundering scam. RCBC president Lorenzo V. Tan filed an indefinite leave of absence to give way to the investigation by the authorities on the case. On May 6, 2016, despite being cleared of any wrongdoing by the bank's internal investigation, Tan resigned as President of RCBC to "take full moral responsibility" for the incident. Helen Yuchengco-Dee, daughter of RCBC founder Alfonso Yuchengco, will take over the bank's operations. The bank also apologized to the public for its involvement in the robbery.
Bangladesh Bank chief, governor Atiur Rahman, resigned from his post amid the investigation of the central bank robbery and subsequent laundering of the money by the RCBC staff in the Philippines. He submitted his resignation letter to Prime Minister Sheikh Hasina on March 15, 2016. Before the resignation was made public, Rahman stated that he would resign for the sake of his country. After his resignation, Rahman defended himself by claiming that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, he blamed bureaucratic hurdles for preventing the security firm from starting its operations in Bangladesh until after the cyber heist.
On August 5, 2016, the Bangko Sentral ng Pilipinas approved a ₱1 billion (US$52.92 million) fine against RCBC for its non-compliance with banking laws and regulations in connection with the bank robbery. This is the largest monetary fine ever approved by BSP against any institution. RCBC stated that the bank would comply with the BSP's decision and pay the imposed fine.
The Bangladesh Bank continued its efforts to retrieve the stolen money and had only recovered about $15 million, mostly from a gaming junket operator based in Metro Manila. In February 2019, the Federal Reserve pledged it would help Bangladesh Bank recover the money and SWIFT has also decided to help the central bank rebuild its infrastructure. The Bangladeshi central bank also believed that RCBC was complicit with the robbery filing a legal case in U.S. District Court for the Southern District of New York regarding the case in early 2019 accusing the Philippine bank of "massive conspiracy". In response, RCBC filed a lawsuit accusing Bangladesh Bank of defamation believing that Bangladesh Bank's claims are baseless.
The case threatened to reinstate the Philippines to the Financial Action Task Force on Money Laundering blacklist of countries that made insufficient efforts against money laundering. Attention was given to a potential weakness of Philippine authorities' efforts against money laundering after lawmakers in 2012 managed to exclude casinos from the roster of organizations required to report to the Anti-Money Laundering Council regarding suspicious transactions.
The case also highlighted the threat of cyber attacks to both government and private institutions by cyber criminals using real bank authorisation codes to make orders look genuine. SWIFT has advised banks using the SWIFT Alliance Access system to strengthen their cyber security posture and ensure they are following SWIFT security guidelines. Bangladesh is reportedly the 20th most cyber-attacked country, according to a cyber threat map developed by Kaspersky Lab, which runs in real time.
Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols supported by Windows and Samba servers.Both SAM and LSAD are layered onto the DCE 1.1 Remote Procedure Call (DCE/RPC) protocol. As implemented in Samba and Windows, the RPC services allowed an attacker to become man in the middle. Although the vulnerability was discovered during the development of Samba, the namegiving SMB protocol itself is not affected.BlueBorne (security vulnerability)
BlueBorne is a generic term for several security vulnerabilities affecting electronic devices involving various Bluetooth implementations in Android, iOS, Linux and Windows. Many devices are affected, including laptops, smart cars, smartphones and wearable gadgets. The vulnerabilities were first reported by Armis, an IoT security firm, on September 12, 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today ."Bureau 121
Bureau 121 is a North Korean cyberwarfare agency, which is part of the Reconnaissance General Bureau of North Korea's military. According to American authorities, the General Bureau of Reconnaissance (also termed Reconnaissance General Bureau) manages clandestine operations and has six bureaus. Cyber operations are thought to be a cost-effective way for North Korea to maintain an asymmetric military option, as well as a means to gather intelligence; its primary intelligence targets are South Korea, Japan, and the United States. Bureau 121 was created in 1998.Another known cyberwarfare unit in the General Bureau of Reconnaissance is called No. 91 Office.Careto (malware)
Careto (Spanish for mask), sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.Because of the focus on Spanish-speaking victims, the heavy targeting of Morocco, and the targeting of Gibraltar, Bruce Schneier speculates that Careto is operated by Spain.Dexter (malware)
Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as Credit Card and Debit Card information.In December 2013, researchers discovered StarDust, a major revision of Dexter, which compromised 20,000 cards in active campaign hitting US merchants.
It was one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.DoublePulsar
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar. He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system. Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.Duqu 2.0
Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200.
Kaspersky discovered the malware, and Symantec confirmed those findings. The malware is a variant of Duqu, and Duqu is a variant of Stuxnet. The software is "linked to Israel", according to The Guardian. The software used three zero-day exploits, and would have required funding and organization consistent with a government intelligence agency.According to Kaspersky, "the philosophy and way of thinking of the “Duqu 2.0” group is a generation ahead of anything seen in the advanced persistent threats world."Evercookie
Exactis LLC is a data broker established in 2015 and based in the U.S state of Florida. The firm reportedly handles business and consumer data in an effort to refine targeted advertising.ISeeYou
iSeeYou is a security bug affecting iSight cameras in some Apple laptops.Mahdi (malware)
Mahdi is computer malware that was initially discovered in February 2012 and was reported in July of that year. According to Kaspersky Lab and Seculert (an Israeli security firm which discovered the malware), the software has been used for targeted cyber espionage since December 2011, infecting at least 800 computers in Iran and other Middle Eastern countries. Mahdi is named after files used in the malware and refers to the Muslim figure.Metulji botnet
The Metulji botnet, discovered in June 2011, is a botnet mainly involved in cyberscamming and denial of service attacks. Before the botnet itself was dismantled, it consisted of over 12 million individual zombie computers infected with the "Butterfly Bot", making it, as of June 2011, the largest known botnet.It is not known what type of computers are vulnerable, or how to tell if a computer is a part of this botnet.Senate Blue Ribbon Committee
The Senate Committee on Accountability of Public Officers and Investigations of the Senate of the Philippines, or more popularly known as the Blue Ribbon Committee, is the Senate committee tasked to investigate alleged wrongdoings of the government, its officials, and its attached agencies, including government owned and controlled corporations, in aid of legislation, that is, the primary purpose is the suggestion of new laws, or proposals of amendments to existing laws.SigSpoof
SigSpoof is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") since version 0.2.2, that was released in 1998. Several other software packages that make use of GnuPG were also affected, such as Pass and Enigmail.In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances. This potentially enables a wide range of subsidiary attacks to succeed.According to Marcus Brinkmann, who discovered the SigSpoof vulnerabilities in June 2018, their existence, and the fact that they were present "in the wild" for so long, throws into question the integrity of past emails, "backups, software updates, ... and source code in version control systems like Git."Stars virus
Not to be confused with The Star VirusThe Stars virus is a computer virus which infects computers running Microsoft Windows. It was named and discovered by Iranian authorities in April 2011. Iran claimed it was used as a tool to commit espionage. Western researchers came to believe it is probably the same thing as the Duqu virus, part of the Stuxnet attack on Iran.TLBleed
TLBleed is a cryptographic side-channel attack that uses machine learning to exploit a timing side-channel via the translation look-aside buffer (TLB) on modern microprocessors that use simultaneous multithreading. As of June 2018, the attack has only been demonstrated experimentally on Intel processors; it is speculated that other processors may also potentially be vulnerable to a variant of the attack, but no proof of concept has been demonstrated. Recent news from AMD indicates that their processors are not vulnerable to this attack. The attack led to the OpenBSD project disabling simultaneous multithreading on Intel microprocessors. The OpenBSD project leader Theo de Raadt has stated that, while the attack could theoretically be addressed by preventing tasks with different security contexts from sharing physical cores, such a fix is currently impractical because of the complexity of the problem.Trustico
Trustico is a dedicated SSL Certificate Provider headquartered in the United Kingdom.World Informatix Cyber Security
World Informatix Cyber Security is an organisation focusing on the cyber security aspect of developing countries. The company caught attention for handling a high profile case of Bangladesh Bank robbery. The organisation assisted and advised the bank to make remediation measures post breach. Later on the case was investigated by FireEye.
The primary focus of the organisation is to work with Society for Worldwide Interbank Financial Telecommunication aka SWIFT as part of their customer security platform and to perform incident response in case of security breaches.Yemen Cyber Army
The Yemen Cyber Army (الجيش اليمني الالكتروني) is a pro-Shia hacker group that has claimed responsibility for the defacement of the London based pro-Saudi Al-Hayat website in April 2015 as well as the exfiltration of data from the Saudi Arabia’s Ministry of Foreign Affairs in May subsequently listed on WikiLeaks.
Associated with the 2015 Yemeni Civil War, the group claims to be based in Yemen itself, but there is speculation from security experts they are in fact Iranian backed based on IP address information and use of the Persian language. Experts suggest the organisation is a manifestation of the ongoing proxy war between Iran and Saudi Arabia. Meanwhile, Saudi-based Anonymous-affiliated hackers contribute to the ongoing #protest against the Saudi regime.
Hacking in the 2010s
|Major vulnerabilities |