Report: Bangladesh Probes 2013 Bank Hack via SWIFTMalware Attackers Stole $250,000 From Sonali Bank
A fourth case has come to light involving hackers using malware to infiltrate bank systems and inject fraudulent money-transfer requests into the SWIFT interbank messaging network.
See Also: Threat Intelligence - Hype or Hope?
Authorities in Bangladesh have reopened a cold case involving state-owned Sonali Bank - the country's largest commercial bank - which suffered the theft of $250,000 in 2013, an unnamed senior law enforcement official tells Reuters. The case is being re-examined following the $81 million theft from the central bank of Bangladesh in February.
After that attack was publicly revealed in March, two other, similar attacks also came to light (see SWIFT Warns Banks: Coordinated Malware Attacks Underway ). In early 2015, Ecuador's Banco del Austro lost $12 million to attackers. In late 2015, meanwhile, Vietnam's Tien Phong Bank blocked an attempt to steal more than $1 million. Both of those attacks were first publicly disclosed only this month.
But an even earlier attack has come to light, involving Sonali Bank. An unnamed senior IT official at the bank tells Reuters that in 2013, attackers infected bank systems with a keylogger, stole passwords, used those to move laterally through the bank's network and then issued an unspecified number of fraudulent SWIFT transfer requests, resulting in the theft of $250,000.
Sonali Bank didn't immediately respond to a request for comment on that report, which says the money was initially moved to an unnamed bank in Turkey.
But the managing director of Sonali Bank, Pradip Kumar Dutta, tells Reuters that the bank has yet to recover the funds, and that its attackers remain at large.
"We could not find out what happened," he says.
Bangladesh's Anti Corruption Commission investigated the 2013 hack attack. Officials there couldn't be immediately reached for comment.
Meanwhile, cybersecurity firm FireEye, which was hired by Bangladesh Bank to investigate its hack attack, has been contacted by up to a dozen more banks in Southeast Asia who suspect that hackers may have also breached their networks, Bloomberg reports, citing an unidentified source. Banks in the Philippines and New Zealand - but none in Western Europe or the United States - are among the firms that have reportedly sought assistance, though it's not clear whether any funds had been stolen. A FireEye spokesman declined to comment on that report.
Are All Four Cases Related?
In all four known cases, the attacks were perpetrated by issuing fraudulent transfer requests via the messaging network maintained by Brussels-based SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication. The cooperative, which is owned by 3,000 banks, maintains a "secure financial messaging service" used by more than 11,000 banks around the world, which handles communications related to billions of dollars' worth of transfers daily. But following the hack attack and fraudulent SWIFT transfer reports, some officials and security experts have criticized the cooperative for not doing more to help secure its customers.
A SWIFT spokesman didn't immediately respond to a request for comment on the Sonali Bank case - about which it reportedly learned in 2013 - or whether the three other SWIFT-using bank heists are connected.
Attackers Moved Money
Most of the fraudulent SWIFT heists have involved moving money between a number of banks, sometimes also including money exchange services. In the case of Bangladesh Bank, attackers attempted to steal $1 billion before successfully moving $100 million, only some of which has been recovered, which still makes it one of the biggest bank heists in history. A related investigation is being spearheaded by the FBI and authorities in Bangladesh. Investigators say that in that attack, the money was routed through multiple banks, before being laundered via casinos in the Philippines.
In the $12 million Ecuadorian heist, court documents show that $9 million of the money stolen from BDA was moved through a web of companies based in Hong Kong, while $3 million was routed to Dubai and elsewhere, Reuters reports.
It adds that court documents submitted by BDA to Hong Kong's Court of First Instance, seeking recovery of the stolen funds, allege that some companies in the territory were "unjustly enriched."
SWIFT's Image Takes a Hit
In the wake of the bank hack reports, SWIFT's image has suffered, even as the cooperative has continued to assert that its network and software remain secure and questioned victims' information security practices (see SWIFT to Banks: Get Your Security Act Together).
Officials in multiple countries have been querying banks how they plan to better secure their use of SWIFT, and asking SWIFT how it plans to help (see Banks, Regulators React to SWIFT Hack). Notably, the Bank of England in April asked all British banks to detail how they have been responding to the Bangladesh Bank hack, and some legislators in the United States are calling for U.S. regulators to follow suit.
This week, Gottfried Leibbrandt, CEO of SWIFT, said that his organization would help banks to better share threat-related information and spot related fraud, and promised that SWIFT would soon issue more comprehensive security guidance to customers.
"Back before mainframes, ATMs, mobile banking and PCs, it was all about men and guns," Leibbrandt said in a May 24 speech in Brussels. "Now it is about men and hoodies hunkering over keyboards. And as we continue to connect everything to everything, things will get ever more challenging."
But he said that SWIFT alone won't be able to secure banks. "This will only work if the industry works together," he said. "SWIFT is not all-powerful, we are not a regulator, and we are not a policeman; success here depends on all the stakeholders in and around the industry. The security of our network remains our key priority; the security of their own environments has to remain - and, for some, become - banks' priority."
May 26: This story has been updated to reference the Bloomberg report.