Argus - Fotolia
Lessons to be learned from attempted $1bn bank heist
Analysis of an attack aimed at stealing $1bn reveals important lessons for cyber defenders, says BAE Systems head of threat intelligence Adrian Nish
There are important cyber security lessons to be learned from the attempted $1bn heist from the Bangladesh central bank in February 2016, says a threat expert.
The attackers used five steps in a heist that would have netted $951 in total if it had been successful, Adrian Nish, head of cyber threat intelligence at BAE Systems told the Wired Security conference.
The first step took place in May 2015 when the attackers set up banking accounts in the Philippines and Sri Lanka to facilitate the money transfers.
The second step was to break into the Bangladesh central bank’s network some time in 2015 to plant some malware for the heist. “They then waited until 4 February 2016 for the main event,” said Nish.
They chose that date because it was a Thursday, which is the end of the working week in Bangladesh, assuming the heist was less likely to be noticed over the weekend.
It also meant that it would soon be the weekend in the US where the Bangladesh central bank reserves were held, and the Monday was a bank holiday in the Philippines.
“This mean the attackers theoretically had a four-day window in which they hoped they could complete the fraudulent bank transfers before anyone noticed,” said Nish.
The fourth stage was to send 35 requests to transfer funds out of the Bangladesh central bank’s account at the New York Federal Reserve.
And the fifth stage involved a subversion of transfer systems at the Bangladesh central bank to cover the attackers’ tracks.
“To do this, the attackers created custom malware that they planted into the bank’s network that was designed to make it look like no money had left the bank’s account,” said Nish.
“They targeted the Swift Alliance Access system that banks run to connect to the global financial messaging organisation, Swift, for sending transfer requests. The custom malware was written to manipulate this system by modifying the code in much the same way as a software update,” he said.
Attackers mimicked behaviour of users
Analysis of the malware used by the attackers showed that they were running under the administrator account, which meant they had root access to the bank’s systems, and that they were able to code in the same proprietary language used to create the messaging application.
“From various SQL statements, we could see that the attackers had also been able to monitor the bank’s systems to study the access patterns and behaviours of legitimate users so they knew exactly how and when to send their fraudulent transfer requests,” said Nish.
“We also saw that the attackers were able to send a real-time update from the Swift system to their command and control server, which told us that sensitive system with access to billions of dollars was allowed to have internet access,” he said.
Security lessons
Once the malware had been analysed, BAE Systems found other instances of the code or parts of the code used in other attacks in other parts of the world, both before and after the Bangladesh central bank heist, including the attack on Sony Pictures in November 2014.
Fortunately, a spelling error alerted banking officials, and all but one of the requests was blocked, which meant the attackers netted a mere $81m.
However, Nish said analysis of the attack has identified some key lessons for all organisations faced with cyber intrusion and attack:
- Limit admin accounts and continually monitor their use and potential abuse.
- Segregate networks and do not allow internet access unless it is a business requirement.
- Perform regular penetration testing using real attackers’ tools to test resilience and find gaps.
- Expect attackers to subvert company’s reporting systems and use out-of-band communications.
- Ensure security teams are trained to meet the professional training of adversaries.
- Ensure the organisation has the ability to detect and respond to breaches quickly.
- Balance technical training with communications training so right stakeholder informed.