Researchers uncover details of ‘sophisticated’ Bangladesh Bank hack

Researchers at BAE Systems have made what appears to be a major breakthrough in understanding the February cyber attacks on Bangladesh Bank that saw $101 million stolen from its account with the New York Fed.

The BAE team came across tools recently uploaded to an online malware repository by a user in Bangladesh. The particular code was designed to run until February 6, and the thefts are believed to have taken place in the two days before.

The files reveal how the hackers were able to overcome certain security features, and cover their tracks, buying them time to launder the money through casinos in the Philippines.

The tool was "custom made" for the job, writes BAE researcher Sergei Shevchenko in a blog post. It demonstrated a "significant level of knowledge" of Swift systems, and "good malware coding skills".

Though the upload to the online repository has allowed authorities an insight into the method used by the hackers, the code is "highly configurable", Shevchenko writes. With the correct access to systems, it "could feasibly be used for similar attacks in the future".

Two-byte jump

The malware begins by overwriting code within Swift's Alliance Access program – its main messaging software. It adds in just two bytes of data in front of important security checks, telling the system to skip each test.

This code gave the hackers access to Bangladesh Bank's database that handles transaction records. The malware then ran continuously until February 6, hiding any information that could have given the hackers away.

By scanning confirmation messages from the Swift system, the malware was able to overwrite the value of balance checks, delete any records of fraudulent transactions, and adjust transaction print-outs so they suggested everything was fine.

To a user at Bangladesh Bank, any transactions would have worked normally and the balance showing as available at the New York Fed account would have tallied with their records – though in reality, millions of dollars were missing.

Open questions

In a statement, Swift admitted similar attacks had affected some of its other customers, though it stressed the vulnerability does not lie within its systems.

"The commonality in what we have seen is that (internal or external) attackers have successfully compromised banks' own environments and thereby obtained valid operator credentials," it said.

It has rolled out a mandatory upgrade designed to help customers "enhance their security" and "spot inconsistencies" in database records.

Echoing Swift's point, the BAE team notes a central question is how the hackers gained access to the database in the first place. It is not a question the code discovered so far can answer, and investigators have as yet revealed few details.

"All financial institutions who run Swift Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed," Shevchenko says.

Further question marks remain over the identity of the hackers, and how they were able to send the transaction requests to the New York Fed.