Cyber Security
The Chinese New Year heist
A By Jane Lo Singapore Correspondent
traditional Chinese New Year celebration with volumes of ‘prosperity and good luck’ money gifts, asynchronous working days across 2 time zones, procedural and regulatory vulnerabilities, straight-through automated processing – these were among the elements that contributed to delays in detecting and responding to the Bangladesh Central Bank cyber break-in, and allowed sophisticated well-organized criminals to successfully launch their attacks on the payment system linking the Bangladesh Central Bank, The Federal Reserve Bank of New York and a network of commercial and correspondent banks, and almost carried off a haul of US$1billion - had not 2 words raised red flags and stopped 31 out of the 35 fraudulent transactions, but not before US$81million made their way into the casino industry in Philippines. What do we know so far? The attack combined the modern technique of hacking into computers with malware and old-fashion money laundering skills. Investigations by the authorities suggested that preparatory work may have begun as long as a year ago in May 2015 with the opening of bank accounts in the Philippines bank (Rizal Commercial Banking Corporation), after which the bank accounts were left dormant without any transactional activity till the attack in February 2016. The introduction of the malware into the Bangladesh Central Bank was likely to have taken place at least a month prior to the attack. Audit trails suggested the possibility of
24 | Australian Security Magazine
trial runs being conducted beforehand. According to the Bangladesh Police Criminal Investigation Department, the computer network at the Bangladesh Central Bank was not adequately secured – an unprotected firewall combined with weak password, and unused ports and remote access channel which were not adequately hardened - opened up entry points and allowed the criminals to penetrate the network perimeter. Procedural vulnerabilities where contingency plans in an event of breakdown of equipment (in this case the cross-border payment SWIFT software and the printer which would have listed payment instructions) and alternate communication channels failed to kick-in, and prevented the rapid detection and response to the breach. Additionally, timeliness of response was complicated not only by time zone differences but also asynchronous workweeks between Bangladesh and New York. Extra layer of protection from anomalous patterns detection - the materiality and frequency of the payment instructions from the Bangladesh Central Bank which appeared out of norm, a misspelled word, and a name under United States' sanctions list against Iran – raised red flags but by then $81million was already cleared and paid out. And, the heist perfectly timed during a holiday period when significant fund flows into the casino accounts were not unexpected and so failed to disrupt the attack at the end of the chain. Crucially, the CCTV cameras in the Philippines bank were disabled during this period, highlighting the organized nature of the attack. Timeline of key events during the attack - 35 fake transactions from the Bangladesh Central Bank was sent