Bangladesh Bank hack is one of the biggest bank heists in global financial history. There have been larger scams and scandals, but cyber heists from a single bank, this takes the cake.
The heist of over $80 million sent shock-waves through the global financial system and security experts scrambled to find out how it had happened. Political and administrative authorities played the blame game, as was expected of them. Resignations were offered and statements were issued. It was a complete chaos.
But now, the storm is over and the dust seems to be settling. But as the bigger picture comes into focus, it is becoming clearer as to what exactly went wrong.
How it happened
It all began on one fateful Friday with a printer failure. On 5 February 2016, Jubair Bin Huda, the bank’s joint director for accounts, discovered the printer failure which left him unable to collect the previous day’s transactions, Financial Times reports. The printer failure was just a tip of the iceberg though. Three days later, the bank discovered that the printer was not the only thing that had failed. The magnitude of the theft suggested that the bank’s cyber security system did not fare much better.
The hackers managed to break into the bank’s security system and transferred more than $80 million from the New York Federal Reserve account to multiple bank accounts located in Sri Lanka and Philippines. A significant number of transfer requests, 30 out of 35, were blocked by the Federal Reserve, saving the bank a loss of $850 million. But the five requests that managed to pass through, amounting to more than a 80 million dollars, were devastating enough in their consequences.
Security analysts suggest that they did it by installing a malware on one of bank’s computers which enabled them to spy on the bank’s monetary activities for weeks to observe how money transfers took place.
However, investigators believe that the heist involved hackers utilizing a Remote Access Trojan (RAT). Through this, they were able to secure remote control to the bank’s computers to initiate funds transfer. It may have taken the hackers almost a year of planning and preparations which involved opening multiple accounts in various banks of Philippines and Sri Lanka through fake documentation. It is ironic, though, that despite all the meticulous planning, a typo in a transfer request turned out to be the Achilles heel, and helped uncover the entire operation.
According to BBC, the bank didn't have a firewall and used cheap $10 internet routers. This just made the malicious actors job very easy. Good prevention and detection controls would at least have helped detect the whole operations much sooner.
SWIFT software security
Perhaps the most troubling aspect of the whole episode was that the hackers managed to hack into the SWIFT software. SWIFT, lies at the heart of the global financial system and is a network which connects majority of the world’s financial institutions and enables them to send and receive financial information about financial transactions.
However, It was the bank's systems or controls that were compromised, not the software, according to an independent security consultant, William Murray. "The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem."
The major take-away from this is that financial institutions must pay extra attention to ensure the protection of the computers with the SWIFT software installed.
Cyber Security is not an IT problem
It is a business problem. Businesses should view cyber risk on par with operation, regulatory and financial risk. Unfortunately, most organization boards fail to recognize this.
Lutfus Sayeed, an Information Systems professor at California State University, believes that cyber security must be incorporated into any organization’s central business strategy. IT Security must have a seat at the boardroom, at the executive table. It must not be viewed as a specialized function that is detached from the core business processes.
Cyber Security is not a checklist
Security should not be a compliance checklist, regulatory or otherwise. You will never be secure by being compliant. You will always be compliant by practicing good security processes. A learned friend, who was involved with ensuring a major card compliance program is implemented at banks worldwide, reveals, many banks in the east, would just write-off compliance fines and pay them, rather than comply. They consider it more cost-effective.
Bangladesh bank heist, has hopefully driven the point, that cybersecurity cannot be an afterthought. The business impact of poor cybersecurity practices are harsh and real.
Cyber Security needs attention
Cyber Security is a critical business function that needs attention. Organizations that do not have resources to manage cybersecurity should look at Managed Security Service Providers for assistance. There are some benefits to engaging a Managed Security Service provider:
a) They are more economical than investing in personnel, software, hardware and processes yourself
b) They provide round the clock monitoring, which most business can't do themselves. Remember, attackers don't adhere to your work hour schedule, and hence its important to have a team that monitors your system round the clock.
c) They are more efficient at responding to cyber threats. MSSPs, due to the nature of the business they are in, have more threat intelligence, and are able to respond faster than most businesses themselves can.
d) They have dedicated teams to handle cyber threats, and can provide rapid staff augmentation OR send skilled analysts onsite to handle the situation.
Always assume your business has been compromised. APTs have been known to exist in businesses IT systems for many years without being detected. It is safe to assume that the Bangladesh Bank Heist perpetrators have been inside, for at least a year, before they pulled off the heist. Threat hunting, an act of assuming compromise, and looking for "bad". It is an exercise worth investing in. Work with your team or your provider in conducting these exercises.
The business impact of poor cybersecurity practices are harsh and real. Don't let your businesses fall victim to cyber threats.