Poor network configuration allowed the hackers to take full control over the bank's SWIFT payments system

Apr 25, 2016 13:15 GMT  ·  By

Malware that would alter two bytes of data, second-hand networking switches, and the lack of any firewall on the IT network of the Bangladesh central bank has allowed attackers to take control over the institution's SWIFT payment system.

In spite of the fact that Bangladeshi officials have not offered any definite answers on how the Bangladesh central bank heist happened, independent security firms are starting to piece different clues together.

What we know until now

At the end of February 2016, a group of unknown hackers tried to steal around $1 billion from the Bangladesh central bank's account at the US Federal Reserve Bank in New York.

The hackers used the bank's official SWIFT account to transfer money to various other banks around the world, but after stealing $81 million, a typo unfoiled their plans and stopped the rest of the heist.

Authorities tracked the stolen $81 million to casinos in the Philippines and managed to recover some of the money. Bangladesh central bank's governor and two deputy governors were forced to resign.

Last week, authorities announced they think a group of twenty suspects from around the world were behind the incident.

A Bangladeshi man developed malware targeting the bank's SWIFT system

Security firm BAE Systems says it identified a piece of custom malware uploaded to online malware repositories that they believe is linked to the heist. The malware was uploaded online by a person living in Bangladesh and targets vulnerabilities in the SWIFT system.

SWIFT stands for the SWIFT Alliance Access software suite and is a complex application for making financial transactions, which works on top of an Oracle database.

Researchers explained today that hackers infiltrated the bank's SWIFT system using this custom malware, and gained access to the bank's entire financial transactions payment system.

Appalling bank IT network configuration

In an alternative investigation carried out by Reuters, reporters revealed that the Bangladesh central bank didn't utilize a firewall to protect its IT network.

Additionally, the bank had utilized second-hand switches priced at $10. These switches didn't support virtual networks, so the SWIFT system was interconnected with the rest of the bank's workstations.

The hackers simply had to infect one computer with their malware, and from there the malware would have spread to the SWIFT system. Exploiting a vulnerability that allowed them to change two bytes of data, they got control over the SWIFT application and its underlying database.

The hackers then initiated official transactions on behalf of the Bangladesh central bank using funds stored in the bank's US Federal Reserve account.

Custom-made malware, just for the Bangladesh bank infrastructure

An automatic send-to-printer system that listed all financial transactions on a local printer also protected the bank's SWIFT system. In order to mask their illegal operations, the malware also included a module that blocked this backup, physical logging feature.

All of these peculiarities show that attackers had insight of how the bank had set up its infrastructure and how the SWIFT system was exposed.

"This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim," a BAE Systems malware analyst explained.

This malware was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again."

UPDATE: SWIFT has released a statement on BAE Systems' findings, which you can read below.

Mode of operation for malware supposedly used in Bangladesh bank heist
Mode of operation for malware supposedly used in Bangladesh bank heist
SWIFT Statement

Photo Gallery (2 Images)

New clues surface about Bangladesh central bank heist
Mode of operation for malware supposedly used in Bangladesh bank heist
Open gallery