Lessons Learned From the Bangladesh Bank Heist

In 2016, the cybersecurity world was abuzz due to the Bangladesh Bank cyberheist. It played out like a scene from a Hollywood blockbuster—a team of highly skilled hackers orchestrated a massive heist that had everyone's jaws dropping. Their target? An astonishing US$1 billion from the Bangladesh Bank. This audacious move sent shockwaves through the global financial community, laying bare significant vulnerabilities in the world’s digital defenses.

The Bangladesh Bank is the country’s central bank and the governing body for the regulation of monetary and financial systems within the country’s territory. The central bank was established in 1971 and had approximately US$32 billion in reserves as of March 2022. In February 2016, the bank was the target of a cyberattack that attempted to steal approximately US$1 billion.¹ During the attack, the Bangladesh Bank, among other banks, had its funds transferred to multiple fictitious banks throughout the world via the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network, which allows banking entities and financial institutions to transfer funds through a secure network. Due to the weakening of security systems from deregulation years prior, perpetrators were able to compromise the central bank’s computer system, using employee credentials to gain access and conduct fraudulent transfers. The fraudsters sent 35 instructions over the SWIFT network to transfer nearly US$1 billion from the US Federal Reserve Bank of New York account belonging to Bangladesh Bank. Thirty of the transactions were flagged, but five of them were granted by staff, allowing for the successful transfer of US$101 million. The money was sent to the Philippines and Sri Lanka and subsequently laundered through casinos.

At the center of the heist was SWIFT, with 11,000 members among 200 countries globally transacting 44 million messages a day. SWIFT allows members to send highly secure messages to each other. It does not facilitate fund transfers; however, it provides a platform to send payment orders among member accounts. The communicating banks must have a relationship or affiliation with each other to use the SWIFT messaging system.

Because this cyberheist exposed serious vulnerabilities in the global financial system, it serves as a strong reminder that financial institutions worldwide need to rethink their cybersecurity strategies, risk management protocols and collaborative efforts to protect against similar cyberthreats. Furthermore, the incident emphasized the necessity of better collaboration between financial institutions, regulatory bodies and law enforcement agencies across borders.

The Cause of the Breach

The Bangladesh Bank had four computers and four servers connected to SWIFT. Those computers and servers were also connected to the real-time gross settlement system allowing the nation’s domestic banks and the central bank to perform large transfers. They were unmonitored, and the network lacked a firewall. The systems were connected to the open Internet.

One early morning in February 2016, a printer suddenly stopped printing records of activity. The hackers had reportedly placed malware in the system in the form of a keystroke logger. The passwords to gain access to the bank’s international money transfer system were obtained through the logger and nearly three dozen requests were issued to the US Federal Reserve Bank of New York to transfer US$951 million from the foreign reserves of the Bangladesh Bank on 4 February 2016. The malware planted on Bangladesh Bank’s SWIFT access computer system covered the hackers’ tracks. Five requests totaling US$101 million were authorized by the US Federal Reserve Bank of New York.

The large amount raised red flags for the Reserve, and personnel there tried to contact the Bangladesh Bank; however, their concerns were not heard by the Bangladesh Bank because the incident took place during the weekend in Bangladesh. When the Bangladesh Bank discovered the inaccessibilityto its SWIFT systems the following week, it sent queries to the US Federal Reserve Bank of New York, which went unanswered due to it then being the weekend in the United States. The four-day lapse was enough time for the money corresponding to four of the requests to be transferred and then redirected through Rizal Commercial Banking Corporation’s (RCBC’s) Settlement Division to reach RCBC’s Jupiter Branch (Makati City, Philippines). Once the stolen money reached the Jupiter Branch of RCBC—despite the notification on 8 February 2016 from Bangladesh Bank to stop payment (which this time went unanswered due to a bank holiday in the Philippines²)—the stolen money was withdrawn and consequently disappeared into the casinos of the Philippines. Approximately US$20 million was issued to a nongovernmental organization (NGO) in Sri Lanka that did not exist. This particular transaction was halted by Deutsche Bank due to suspicion arising from a typographical error in the transaction request. Pan Asia Bank, based in Sri Lanka, initially took notice of the transaction because it appeared too large for a country such as Sri Lanka. Pan Asia Bank referred the anomalous transaction to Deutsche Bank. The US$20 million was later retrieved by Bangladesh Bank.

The Cost of the Breach

The hackers used the SWIFT network to instruct the Bangladesh Bank to issue US$951 million. Transactions worth US$101 million were authorized and paid from the Bangladesh Bank’s account at the US Federal Reserve Bank of New York. Of that amount, US$81 million was traced to the Philippines, of which approximately US$18 million was later recovered. US$20 million was traced to Sri Lanka but fortunately was stopped by the routing bank. A fine of nearly US$52.92 million was issued by Bangko Sentral ng Pilipinas (BSP) to RCBC for noncompliance with banking laws and regulations. This was the highest fine ever issued by BSP. After this incident, the Bangladesh government, the media and the public slammed the nation’s central bank for being incompetent, and one of the most celebrated employees of the central bank, Atiur Rahman, Ph.D., Governor of Bangladesh Bank, resigned from his post.

Determining Who Was Involved in the Breach

Investigations pointed to five officials of the Bangladesh Bank who were guilty of negligence and exposing computer systems, allowing for the malware to be installed. The investigations progressed further, resulting in the discovery that the officials had created vulnerabilities in the computer system utilized for SWIFT connections with the bank. Nearly 100 employees of the Bangladesh Bank were interrogated, and some were barred from leaving the country. Though the hackers have not been arrested to date, the government of North Korea’s involvement in the heist was revealed by federal prosecutors in the United States.³ This was the first time a national government sought to use a data breach to support its failing economy. Some security enterprises, including Symantec Corp and BAE Systems, claimed that the North Korea-based Lazarus Group, one of the world's most active state-sponsored hacking collectives, was likely behind the attack.⁴ The bank account of RCBC where US$15 million landed belonged to Kim Wong, a gambling junket operator in Manila (Philippines).⁵ In addition, Kim Wong’s enterprise Eastern Hawaii received US$21 million of the stolen funds in its bank account in the Philippines, according to the criminal complaint filed by the Philippines’ Anti-Money Laundering Council (AMLC). He avoided blame by stating that the sum was a payment he was receiving from two Chinese nationals that had nothing to do with the heist. The remaining funds of the stolen US$81 million disappeared into Solaire casino and another junket operator per the AMLC compliant.⁶

Why the Breach Happened

The landscape of threats is ever-changing. Older legacy techniques, processes and systems are no longer trustworthy. The primary challenge revealed by the Bangladesh Bank heist is the issue of confidence in the security of automated messaging systems for banking transactions. The SWIFT messaging system authenticates wire transfers between international banks. In this case, all transactions were authenticated by the SWIFT messaging system as per the existing protocols. Because the hackers stole credentials for the SWIFT messaging system, they were able to easily authorize the multimillion-dollar international wire transfer. The other main challenge was the absence of an effective legal system that deals with cross-border financial crimes and money laundering. The pursuit to recover stolen money became difficult, and the money lost its digital footprint because a significant portion of it ended up in a Filipino casino. Participating or cooperating in the investigation is often up to casinos’ discretion under the Philippines’ Anti-Money Laundering Act (AMLA).⁷ This heist spanned multiple national territories across the globe. To pull off such a heist, hackers had to know the banking process—specifically the SWIFT system—inside and out. Even if the investigation had uncovered the reason behind a possible breach, complexities associated with several cross-border jurisdictional laws and weak enforcement of international money laundering laws make it difficult to identify and prosecute the accountable entities.

Even if the investigation had uncovered the reason behind a possible breach, complexities associated with several cross-border jurisdictional laws and weak enforcement of international money laundering laws make it difficult to identify and prosecute the accountable entities.

Examples of Other Noteworthy Cyberattacks

The cyberattack on the Bangladesh Central Bank in 2016 was a remarkably sophisticated and noteworthy event. Similar attacks include:

• Carbanak/Anunak Group (2013-2015)—The Carbanak group, also known as Anunak, targeted numerous financial institutions globally, including banks in Russia, Ukraine and the United States. These hackers employed spear-phishing techniques to gain initial access to the banks' systems and subsequently employed malware to surveil and control their operations, resulting in the theft of millions of dollars.⁸
• Lazarus Group (2016-ongoing)—Allegedly based in North Korea, this state-sponsored hacking group has been involved in various cyberattacks targeting financial institutions, including the heist on the Bangladesh Central Bank.⁹
• SWIFT-related attacks—Hackers have targeted the SWIFT system in multiple incidents. One notable example is the attack on Banco del Austro in Ecuador in 2015. The attackers obtained the bank's SWIFT credentials and transferred funds to various international accounts.¹⁰
• Russian APT groups—Several Russian APT groups, such as APT28 (Fancy Bear) and APT29 (Cozy Bear), have engaged in cyberespionage and attacks on financial institutions. These groups have been linked to various prominent incidents, including attacks on banks and financial systems.¹¹

Key Takeaways and Recommendations

Although the Bangladesh Bank cyberattack occurred almost a decade ago, concerns about misplaced and outdated security measures still linger for many enterprises, especially as organizations adopt artificial intelligence (AI) to utilize and enhance the capabilities of security orchestration, automation and response (SOAR) technology. SOAR assists in the coordination, execution and automation of tasks carried out by multiple individuals and tools within a unified platform. In 2017, the term SOAR was coined to describe capabilities that organizations have to rapidly address cybersecurity attacks while also gaining insights, developing comprehension, and instituting preventive measures to enhance their overall security stance.¹² But the reality is that implementing a SOAR platform may not be a readily available option for some financial organizations that struggle with legacy systems, a shortage of technical expertise and financial constraints. Nevertheless, understanding what key security best practices and controls were missing at Bangladesh Bank can deter cyberattacks on critical financial establishments:

• To mitigate credentials compromise, policies need to be enforced that comply with strong authentication, authorization and accountability for accessing sensitive and high-value financial platforms and systems. Segregation of duties (SoD) needs to be strictly implemented to provide further layers of defense before fraudulent access through people who are authorized for SWIFT access can occur.
• It is essential to regularly patch and secure critical systems and infrastructure to prevent breaches. A layered security defense approach that enforces zero trust, least privilege, and strong cryptography with hardware security module (HSM) should be utilized. These methodologies and tools can ensure that high-value systems only communicate with dependent systems/components by mutual authentication through cryptography and their associated keys residing in HSM devices.
• Comprehensive security awareness training to educate employees about the risk associated with phishing attacks is needed.
• Internal security controls and regular review and monitoring of access privileges and user activities should be implemented to avoid insider involvement.

Conclusion

The Bangladesh Bank heist served as a wake-up call for the financial industry, bringing attention to the vulnerability of financial systems to cyberattacks. It emphasized the need for stronger security measures, such as MFA, real-time monitoring of financial transactions, and continuous security assessments to detect and prevent similar attacks in the future.

Endnotes

¹ Staff; “Spelling Mistake Stops Hackers Stealing $1 Billion in Bangladesh Bank Heist,” The Independent, 11 March 2016, http://www.independent.co.uk/news/world/asia/spelling-mistake-stops-hackers-stealing-1-billion-in-bangladesh-bank-heist-a6924971.html
² Byron, R.; M. Rahman; "Hackers Bugged Bangladesh Bank System in Jan," The Daily Star, 11 March 2016, http://www.thedailystar.net/frontpage/hackers-bugged-bb-system-jan-789511
³ Reuters Staff; “U.S. May Accuse North Korea in Bangladesh Cyber Heist: WSJ,” 22 March 2017, http://www.reuters.com/article/us-cyber-heist-bangladesh-northkorea/u-s-may-accuse-north-korea-in-bangladesh-cyber-heist-wsj-idUSKBN16T2Z3
⁴ Katz, A.; W. Fan; "A Baccarat Binge Helped Launder the World's Biggest Cyberheist," Bloomberg, 3 August 2017, http://www.bloomberg.com/news/features/2017-08-03/a-baccarat-binge-helped-launder-the-world-s-biggest-cyberheist
⁵ Lema, K.; A. Marshall; "Don't Ask Where Money Came From, Says Manila Casino Boss in Heist Probe," Reuters, 1 April 2016, http://www.reuters.com/article/us-usa-fed-bangladesh-philippines/dont-ask-where-money-came-from-says-manila-casino-boss-in-heist-probe-idUSKCN0WY4UY
⁶ Ibid.
⁷ CloudCfo, “Anti-Money Laundering Act in the Philippines: 5 Ways to Comply,” 6 April 2022, http://cloudcfo.ph/blog/corporate/anti-money-laundering-act-philippine
⁸ Cyware, “Anatomy of Carbanak Threat Actor Group and its Malicious Activities,” 16 March 2019, http://cyware.com/news/anatomy-of-carbanak-threat-actor-group-and-its-malicious-activities-c7b74139
⁹ Zahorski, A.; “What Is the Lazarus Group? Is It Really Comprised of North Korean Hackers?” Make Us Of, 10 July 2022, http://www.makeuseof.com/what-is-the-lazarus-group/
¹⁰ Bergin, T.; N. Layne; "Special Report: Cyber Thieves Exploit Banks' Faith in SWIFT Transfer Network," Reuters, 20 May 2016, http://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD
¹¹ US Cybersecurity and Infrastructure Security Agency (CISA), "Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure," 9 May 2022, http://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a
¹² Shea, S.; “SOAR (Security Orchestration, Automation and Response),” TechTarget, March 2023, http://www.techtarget.com/searchsecurity/definition/SOAR?Offer=abt_ pubpro_AI-Insider

MOHAMMAD SAMI A KABIR | CISA, CISM, CCSK, CISSP

Is a senior security and compliance engineer for IBM. He previously worked at Apple in a similar position and has extensive experience as an IT and cybersecurity auditor for public accounting firms such as A-LIGN and Grant Thornton LLP. He has more than five years of work experience in the cybersecurity and IT compliance domains.