When You Hack Your Central Bank
Over a weekend at the beginning of February 2016, unknown computer-hackers managed to get access to the internal systems of ‘Bangladesh Bank’, the central bank and monetary authority of the South Asian country.
The cyber-attack of the bank’s headquaters in the country’s capital Dhaka was planned and executed quite professionally. The perpetrators had deep knowledge of the bank’s internal workings, most likely gained by spying on the bank’s staff by installing a malware in the computer systems.
Once inside, they captured the bank’s credentials for payments and transfers via the messaging-system SWIFT (Society for Worldwide Interbank Financial Telecommunication), which is used around the world for secure financial communication.
With access for payments, our weekend-hackers then instructed the Federal Reserve Bank of New York – with over 30 fully authenticated transfer requests – to move money from Bangladesh Bank’s account there.
The requests involved shifting money to banks in the Philippines, where the funds were then transferred to a foreign exchange dealer who sent it to local casinos and converted it into chips. The chips were then cashed out again and sent to Hong Kong bank accounts to finish the laundering process.
The first 4 requests to transfer a total of about 80 million USD to the Philippines went through seamless, but the 5th request to pay 20 million USD to a non-profit organisation (NGO) in Sri Lanka called ‘Shalika Foundation’ was held up for a … typo. The IT-savvy hackers weren’t that careful with the english language and misspelled ‘foundation’ in the NGO’s name as ‘fandation’.
This prompted the clearing-bank (that’s a bank as a part of a network that can clear payments or checks for its clients regardless of whether or not the payment/check originates from the same commercial bank – in our case it was Deutsche Bank) to seek clarification from Bangladesh Bank, which then stopped the transaction – and thereby interrupted one of the biggest bank-raids ever. In total, the hackers attempted to steal up to 1 billion USD.
No wonder, banks and other businesses are eager to learn more about how the central bank was compromised so they can review their own networks for signs that they are vulnerable to a next attack, because this ”will for sure happen again”, says Aviv Raff, chief technology officer at Tel-Aviv based cyber-security company Seculert.
Beside banks and businesses, any private smartphone is also at risk to get hacked in a more and more sophisticated way. Kaspersky Lab for instance has just detected ‘Triada’, a new trojan targeting Android devices, written by very professional cybercriminals and putting devices running the 4.4.4. and earlier Android-versions at risk.
‘Triada’ has the ability to gain super-user access rights that gives the outside attacker the privilege to install paid premium-apps on the phone without the user’s knowledge. The main purpose thereby is to interrupt the financial transactions in the process of buying the apps and channel the funds to other accounts operated by cybercriminals or their collaborators.
The high-level fight against hackers will make cyber-security a further growing and profitable sector. So why not thinking about an invesment in this field?
Hollywood superstar Kevin Spacey, you know, the guy who plays President Frank Underwood in ‘House of Cards’, did exactly this. He just bought a significant stake in world-leading Swiss eSecurity company Wisekey, who will go public very soon (the IPO within this month is announced). Geneva-based Wisekey is also leading the field in the global wearables market, which will grow at an estimated annual rate of 35% over the next five years.
Officials at Bangladesh Bank acknowledged weaknesses in their systems and said it could take two years or more to repair the problems.