Details Emerge On Global Bank Heists By Hackers

Starting with the premise that no network is safe, no system is invulnerable and no potential opening will go untested seems like the prudent position on which to base a governance and security strategy. JL

Nicole Perlroth and Michael Corkery report in the New York Times:

In both attacks on banks, the intruders obtained legitimate credentials to sign in to the Swift network. They initiated fraudulent money transfers, then covered their tracks using tailor-made malware. Computer security researchers said there were striking similarities between the “multiple bespoke tools” used by the hackers in the banking cases and the attack on Sony Pictures in 2014.

Just how securely are banks moving money around the world?

New details emerged about a pair of related attacks on banks that use the Swift message service, which allows financial firms and companies to transfer payments around the world.

Computer security researchers briefed on the investigation into one of the attacks, on the Bangladesh Bank, raised several theories about the crime, including the possibility that groups from Pakistan and North Korea may have been spying on the bank. Other analysts investigating the attacks said there were striking similarities between the “multiple bespoke tools” used by the hackers in both the banking cases and the attack on Sony Pictures in 2014.

The latest breach detailed by Swift in a letter to its users occurred at a commercial bank that appeared, according to a leading online security firm BAE Systems on Friday, to be located in Vietnam.

That attack and the $81 million heist from the Bangladesh central bank account at the Federal Reserve Bank of New York in February are thought to be part of a broad assault on the global banking system by thieves whose operating methods and digital fingerprints are being studied carefully by analysts worldwide.

In both attacks on banks, the intruders obtained legitimate credentials to sign in to the Swift network. They initiated fraudulent money transfers, then covered their tracks using tailor-made malware.

Swift, an acronym for the Society for Worldwide Interbank Financial Telecommunication, is a global banking consortium that operates a secure and trusted network that sends payment instructions between banks across international borders. In the predictable finger-pointing that has followed the news of the attacks, Swift has pointed out that its core network was not hacked — just the end points at which the banks tap into it — and the New York Fed has reiterated that it followed all proper procedures.

On Friday, Representative Carolyn B. Maloney, Democrat of New York, released a statement calling on the Federal Reserve Bank of New York to bolster its security even further.

“I remain concerned that there are critical security gaps in the international payment system,” Ms. Maloney said in a statement.

She also released correspondence between her office and the Federal Reserve Bank of New York, in which the bank’s general counsel, Thomas C. Baxter Jr., assured her that “there is no evidence that any Federal Reserve systems were compromised.”

Investigators briefed on the investigation at the Bangladesh central bank say that they had uncovered the presence of three groups of intruders inside the bank’s systems: two nations — Pakistan and North Korea — and a third, unidentified group of digital criminals thought to have siphoned the funds from the bank to accounts in the Philippines.

Also on Friday, two forensics investigators at BAE Systems outlined evidence that suggested similarities between the Bangladesh heist and a 2014 attack against Sony Pictures that law enforcement and intelligence agencies in the United States have traced to North Korea. That year, Sony released the farcical movie “The Interview,” which poked fun at North Korea.

The investigators pointed to specialized, identical tools — including identical encryption keys, file names and a highly unusual data deletion technique — that were used in the attack on Sony Pictures, the Bangladesh central bank and the Vietnamese bank.

However, people briefed on the actual investigation at the Bangladesh bank, who would speak only on the condition that they not be named, said that while the same tools were present inside Bangladesh’s systems, suggesting any link between that heist and the North Korean hackers would be premature.

Banks are frequent targets not just for profit-seeking digital criminals, but also nation states hoping to track spending by their perceived enemies or to gain insights into deal-making activity.

In 2012, investigators at the Russian security firm Kaspersky Lab revealed a campaign by nations, presumably the United States or Israel, aimed at banks in Lebanon, including the Bank of Beirut, Blom Bank, Byblos Bank and Credit Libanais, along with Citibank and PayPal.

In that case, the organizations involved in the Lebanese bank intrusions never stole any funds. Rather, they used stolen credentials to track customers’ assets and spending.

By their nature, hackers are difficult to trace, and theories advanced immediately after a breach can turn out to be wrong.

In summer 2014, when hackers stole account information from tens of millions of customers at JPMorgan Chase, experts initially pointed to Russia, raising concerns about national security.

In the end, federal prosecutors said that attack might have been partly the work of Israeli nationals and individuals who knew each other from Florida State University, and that their attack on the bank may have been aimed at advancing a pump-and-dump stock scheme. No money was stolen from JPMorgan in that breach.

Large banks in the United States and Europe, which are part owners of Swift, have been monitoring the developments and are studying whether they need to adjust any of their defenses to guard against similar intrusions.

“We are pretty fast learners,’’ said Doug Johnson, senior vice president for payments and security at the American Bankers Association, a trade group. “We proactively share information about how to mitigate these threats.”

In the heist at Bangladesh Bank, the thieves used the stolen credentials to authorize the transfer of $951 million from the central bank’s account at the New York Fed.

The Fed approved five of the payments to accounts in Sri Lanka and the Philippines. As far as the bank employees in the United States could tell, the payment requests had been authenticated by Swift.

One of those five requests was ultimately blocked by a bank in Sri Lanka, which noticed that the name of the supposed nonprofit group that was to receive the funds was misspelled. Instead of “Foundation,” it was spelled “Fundation,” according to a person briefed on the matter, who spoke on the condition of anonymity because of a continuing criminal investigation.

The New York officials relied entirely on Swift to authenticate the transfers, according to a letter from the New York Fed that Ms. Maloney’s office released on Friday. It does not independently vet other users on the Swift network.

The New York Fed withheld an additional 30 requested transfers from Bangladesh because one address that was supposed to receive a payment contained the same name as a ship known for smuggling activity, the person briefed on the matter said.

It turned out the address and the smuggling ship were unrelated, but that was enough to raise the New York Fed’s concerns. When they couldn’t reconfirm with officials in Bangladesh that transfers were legitimate, the New York bank denied them.