Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Deciphering the Bengladesh bank heist

965 views

Published on

A complete overview of the SWIFT attack by a group of hackers also known as the Bangladesh Bank heist

Published in: Technology

Deciphering the Bengladesh bank heist

  1. 1. 1 © Jerome Kehrli @ niceideas.ch https://www.niceideas.ch/roller2/badtrash/entry/deciphering-the-bengladesh-bank-heist Bangladesh Bank Heist A complete overview of the SWIFT Attack
  2. 2. 2 1. Introduction 2. The SWIFT network - Key Concepts 1. Correspondant Banking 2. Transfering Money 3. Application Architecture (Bengladesh case) 4. Introducing key SWIFT messages 3. The attack 1. Behaviour of the malware 2. Complete overview of the attack 3. Timeline of the attack 4. Laundering of the money 4. Aftermath 5. Conclusion Summary
  3. 3. 3
  4. 4. 4 In February 2016, a group of CyberThieves have stolen 81 Million USDs from the Bengladesh Central Bank One of the three biggest bank Heists in global Financial History Biggest Cyberheist ever The Hackers broke into the Information System of the Bangladesh Central Bank Attempted to transfer 951 Million USD from the Bank Successfully transferred 81 Million USD The money laundering scheme was brilliantly designed The thieves are unknown, untroubled and safe The successfully stole the money by hacking the SWIFT bridge within the bank SWIFT is the heart of the worldwide finance system, it connects the financial institutions worldwide The attackers forged fraudulent SWIFT funds transfer messages to the network They attempted to hide their traces by hiding confirmation to the fraudulent transfers coming from the network 1. Introduction - Bangladesh Bank Heist – What we know
  5. 5. 5 The team of thieves Likely under 20 persons Composed by (at least): Hackers: social engineering and physical penetration in the bank to get administrator credentials Software Engineers: developed a custom version of the Dridex worm to perform the attack and gain control over the SWIFT bridge SWIFT experts: helped the team have an in depth understanding of the SWIFT messages formats and the SWIFT network behaviour This is the most puzzling aspects. SWIFT experts are not numerous worldwide Finance experts: helped the team shape the attach, find the right timeframe and build the money laundering scheme The project The team leader(s) had the idea likely a few years before He (they) assembled the team likely 2 years before the heist The team started working likely 18 months before the heist 1. Introduction - Bangladesh Bank Heist – What we believe
  6. 6. 6 2. The SWIFT Network – key concepts
  7. 7. 7 Presenting key concepts about correspondent banking and the SWIFT network SWIFT - Society for Worldwide Inter-bank Financial Telecommunication A belgian company, located in Belgium, a trusted and closed network used for communication between banks around the world. overseen by a committee composed of the US Federal Reserve, the Bank of England, the European Central Bank, the Bank of Japan and other major banks. SWIFT is used by around 11'000 institutions in more than 200 countries supports around 25 million communications a day, most of them being money transfer transactions, the rest are various other types of messages. The majority of international inter-bank messages use the SWIFT network. For two financial institutions to exchange banking transactions, they must have a banking relationship beforehand. A cool introduction to SWIFT is available on the Fin website : https://fin.plaid.com/articles/what-is-swift. 2. The SWIFT network – key concepts
  8. 8. 8 2.1 Correspondent Banking (1/3) A correspondent bank is a financial institution that provides services on behalf of another financial institution. facilitate wire transfers, conduct business transactions, accept deposits and gather documents on behalf of another financial institution. Correspondent banks are most often to be used by domestic banks to service transactions in foreign countries, acting as a domestic bank's agent abroad. Reasons for this include: limited access to foreign financial markets and the inability to service client accounts without opening branches abroad, act as intermediaries between banks in different countries or as an agent to process local transactions for customers abroad, accept deposits, process documentation and serve as transfer agents for funds. The ability to execute these services relieves domestic banks of the need to establish a physical presence in foreign countries.
  9. 9. 9 The accounts held between correspondent banks and the banks to which they are providing services are referred to as NOSTRO and VOSTRO accounts An account held by one bank for another is referred to by the holding bank as a VOSTRO account. The same account is referred as a NOSTRO account by the owning bank (the customer). Both banks in a correspondent relationship hold accounts for one another for the purpose of tracking debits and credits between the parties. 2.1 Correspondent Banking (2/3)
  10. 10. 10 Transferring Money Using a Correspondent Bank International wire transfers often occur between banks that do not have an established financial relationship. When agreements are not in place between the bank sending a wire and the one receiving it, a correspondent bank must act as an intermediary. For example, a bank in Geneva that has received instructions to wire funds to a bank in Japan cannot wire funds directly without a working relationship with the receiving bank. Most if not all international wire transfers are executed through SWIFT. Knowing there is not a working relationship with the destination bank, the originating bank can search the SWIFT network for a correspondent bank that has arrangements with both banks. When the sending bank has no banking relationships with any bank having itself a relationship with the target bank, then the order needs to be transferred through several, sometimes many, distinct banks through the SWIFT network. These are called routing banks. 2.1 Correspondent Banking (3/3)
  11. 11. 11 In the scope of funds transfers, correspondent banking relationships often happen between commercial banks and central banks. This is especially useful when a bank has to process massive funds transfers in different currencies. Imagine that a non-US commercial banking institution has to transfer a massive amount of US Dollars for one of its big customers to some other account in another financial institution abroad. It would be very inconvenient in this case to have to build up enough reserves of US dollars for this kind of transfers. Instead, big commercial banks worldwide open a correspondent banking relationships with the US federal Reserve in New York and use their VOSTRO accounts there to process such big transfers. Such VOSTRO accounts have typically no limits and do not necessarily need to be credited beforehand. The settlement can happen afterwards, on a regular basis. 2.2 Transferring Money (1/6)
  12. 12. 12 2.2 Transferring Money (2/6)
  13. 13. 13 2.2 Transferring Money (3/6)
  14. 14. 14 2.2 Transferring Money (4/6)
  15. 15. 15 2.2 Transferring Money (5/6)
  16. 16. 16 2.2 Transferring Money (6/6)
  17. 17. 17 SWIFT provides a centralized store-and-forward mechanism, with some transaction management. guarantees secure and reliable delivery of multiple targets and actions messages. SWIFT guarantees are based primarily on high redundancy of hardware, software, and people. Principles Today the SWIFT network can be seen as a highly secured private network over Internet. A financial institution needs to obtain a SWIFT gateway running the SWIFT NetLink software. proprietary hardware running with Linux and requiring a physical security dongle storing cryptographic keys to access the network. SWIFT also provides a whole lot of other software such as SWIFT Alliance Access that can be used by a financial institution to access the SWIFT network with higher level or simpler APIs. SWIFT Network Security it's a private network, and most banks set up their accounts such that only certain transactions between particular parties are permitted. The network privacy means that it should be hard for someone outside a bank to attack the network, but if a hacker breaks into a bank-as was the case here-then that protection evaporates. The Bangladesh central bank has all the necessary SWIFT software and authorized access to the SWIFT network. Any hacker running code within the Bangladesh bank also has access to the software and network. 2.3 Application Architecture - Bengladesh case – (1/x)
  18. 18. 18 The Bangladesh central bank was handling SWIFT connectivity from the Banking Information System to the SWIFT network using the specific SWIFT Alliance Access software running on a bridge server. Alliance Access, integrated the way it was at the Bangladesh banks, was setup to read/write SWIFT messages from/to files on the filesystem (huge security concern !!!) and record transaction information in an Oracle database. In addition, confirmation and reconciliation messages were handled through a manual process after being sent to a printer. 2.3 Application Architecture - Bengladesh case – (2/x)
  19. 19. 19 The hackers created a malware that generated and manipulated key SWIFT messages to withdraw the money from the Bangladesh Central Bank's VOSTRO account at the Fed. SWIFT messages consist of five blocks of the data including three headers, message content, and a trailer. Message types are crucial to identifying content. All SWIFT messages include the literal "MT" (Message Type). This is followed by a three-digit number that denotes the message category, group and type The key SWIFT messages in question here were of the following types: MT103 is used for cash transfer specifically for cross border/international wire transfer. MT202 is the general Financial Institution transfer order, used to order the movement of funds to the beneficiary institution. MT950 is the Final Statement report on all settlement operations with specified account within a current business day. Can be seen as the confirmation for an MT 202. 2.4 Introducing key SWIFT messages (1/x)
  20. 20. 20
  21. 21. 21
  22. 22. 22
  23. 23. 23
  24. 24. 24
  25. 25. 25
  26. 26. 26
  27. 27. 27
  28. 28. 28
  29. 29. 29
  30. 30. 30
  31. 31. 31 A lot of stuff goes through SWIFT, on the small message types subset related to transferring money are interesting. First the MT103 is an information message, basically announcing that a target counterparty account will receive money from an internal (or correspondent) account to be debited. Then the MT202 is the inter-bank transfer order, it applies globally to transfer money from a banking institution to another banking institution, covering all individual account level transfer announces relating to the same target institution. Finally the MT950 is the extract that confirms all executed order. It is the bible and references all positions confirmed and executed by the correspondent bank. It is often an end of day extract used by banking institutions for reconciliations. Again, when it comes to SWIFT messages processing from and to the Banking information System in the Bangladesh case, the important aspects here are: SWIFT messages originating from the Bank IS simply needed to be put on the filesystem somewhere to be "slurped" by the SWIFT Alliance Access software integrated the way is was integrated at Bangladesh Central Bank. Confirmation messages back from the SWIFT network were stored and printed. Reconciliation is a manual process from these printed messages.
  32. 32. 32 3. The Attack
  33. 33. 33 Capitalizing on weaknesses in the security of the Bangladesh Central Bank, hackers attempted to steal around a billion US dollars from the Bangladesh central bank's VOSTRO account with the US Federal Reserve Bank between February 4 and 5 when Bangladesh Bank's offices were closed. The perpetrators managed to compromise Bangladesh Bank's computer network, observed how transfers were done, and gained access to the bank's credentials for payment transfers. They used these credentials to authorize about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the Bangladesh Bank VOSTRO to accounts in Sri Lanka and the Philippines. Thirty transactions worth 851 million USD were flagged by the banking system for staff review, but five requests were granted; 20 million USD to Sri Lanka (later recovered), and 81 million USD lost to the Philippines, entering the Southeast Asian country's banking system on February 5, 2016. This money was laundered through casinos and a little later transferred to Hong Kong. Summary of the attack (1/2)
  34. 34. 34 The attack is impressive and stands out on various levels, in terms of technical means, maturity and complexity for several reasons: Technical Mastery: the usage of a custom Dridex worm to hack the SWIFT Bridge by the bank and likely other malwares to capture the administration credentials In-depth understanding of the worldwide financial market: both the attack shape and the money laundering scheme prove in-depth understanding of financial markets SWIFT knowledge: in-depth Knowledge of the SWIFT messaging details is not that much spread among software engineers Attacking the VOSTRO account of the Bengladesh Central Bank managed at the Fed was brilliant! Such VOSTRO account usually have no limits whatsoever They do not even need to be credited beforehand In addition, since a correspondent bank knows nothing of the customer on behalf the sending bank is acting, its fairly easy to make it believe the transaction is genuine Summary of the attack (2/2)
  35. 35. 35 The hackers used a custom version of the Dridex malware to hack software called SWIFT Alliance Access to both make the transactions and hide the evidence. When a message with one of the search terms was found, the malware would do different things depending on the kind of message. Payment orders were modified to increase the amounts being moved, updating the Alliance database with new values. Confirmation messages from the SWIFT network were also modified. Confirmations are printed and stored in the database. Before being printed, the malware would alter the confirmations to show the original, correct transaction value; it also deleted confirmations from the Alliance database entirely. It's still not clear how the initial transactions were entered into the system to trigger the malware in the first place. 3.1 Behaviour of the malware (1/3)
  36. 36. 36 The SWIFT network key components haven't been compromised, the malware was targeting the Bangladesh Central Bank's own bride to the SWIFT infrastructure running the SWIFT Alliance Access Software: 3.1 Behaviour of the malware (2/3)
  37. 37. 37 If an organization can't keep its endpoint secure, it leaves itself very vulnerable to being electronically robbed. The bank lacked any firewalls and was using second-hand $10 switches on its network. These switches did not allow for the regular LAN to be segmented or otherwise isolated from the SWIFT systems. The lack of network security infrastructure has also hindered the investigation. It's still not known how the hackers penetrated the network, but it looks like the bank didn't make it difficult for them to do so. How the attackers obtained administration credentials is also still unclear. They might have obtained these credentials by using another malware or by exploiting a remotely available vulnerability (not impossible considering the weak security practices in place in the Bangladesh Central Bank) or it might also have been an insider job. So far there are only speculations in this regards. 3.1 Behaviour of the malware (3/3)
  38. 38. 38 3.1.1 Forging fraudulent SWIFT messages (1/3) Simplifying a bit the reality, we can picture the malware as forging fraudulent SWIFT messages as follows:
  39. 39. 39 3.1.1 Forging fraudulent SWIFT messages (2/3)
  40. 40. 40 3.1.1 Forging fraudulent SWIFT messages (3/3)
  41. 41. 41 3.1.2 Forging fraudulent SWIFT messages (1/3) Here as well, by simplifying a little the reality, we can picture the malware as intercepting SWIFT confirmations as follows:
  42. 42. 42 3.1.2 Forging fraudulent SWIFT messages (2/3)
  43. 43. 43 3.1.2 Forging fraudulent SWIFT messages (3/3)
  44. 44. 44 What we know of the malware: codenamed Dridex filenamed evtdiag.exe, designed to hide the hacker's tracks by changing information on a SWIFT database within Alliance Access contained the IP address of a server in Egypt the attackers used to monitor the use of the SWIFT system by Bangladesh Bank staff. was compiled close to the date of the heist, contained detailed information about the bank's operations was uploaded from Bangladesh. While that malware was specifically written to attack the Bangladesh Bank, the general tools, techniques and procedures used in the attack may allow the gang to strike again and as a matter of fact there have been attempts discussed by Reuters. It was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. 3.1.3 The Malware (1/2)
  45. 45. 45 The malware was designed to make a slight change to the code of the Access Alliance software installed at the Bangladesh Central Bank, giving attackers the ability to modify a database that logged the bank's activity over the SWIFT network. It could delete records of outgoing transfer requests from the database and also intercept incoming messages confirming transfers ordered by the hackers. It also able to manipulate account balances on logs to prevent the heist from being discovered until after the funds had been laundered. The malware also manipulated the stream of confirmations sent to a printer that produced hard copies of transfer requests so that the bank would not identify the attack through those printouts. This part went wrong and led the printer to crash. 3.1.3 The Malware (2/2)
  46. 46. 46 3.2 Complete overview of the attack (1/8) On February 4, likely after months of preparation, organizationally and technically, gaining access to the systems, developing the custom Dridex worm, obtaining credentials, infecting the systems, etc. The hackers launched the attack.
  47. 47. 47 3.2 Complete overview of the attack (2/8) On February 4, unknown hackers sent more than three dozens of fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's VOSTRO account to bank accounts in the Philippines, Sri-Lanka and other parts of Asia.
  48. 48. 48 3.2 Complete overview of the attack (3/8) The hackers managed to get 81 million USD sent to Rizal Commercial Banking Corporation (RCBC) in the Philippines via four different transfer requests and an additional 20 million USD sent to Pan Asia Banking in a single request.
  49. 49. 49 3.2 Complete overview of the attack (4/8) Fortunately 850 million USD in other transactions managed to be saved initially (thx to the Fed). the losses could have been much higher had the name ”Jupiter” not formed part of the address of a Philippines bank account where the hackers sought to send hundreds of millions of dollars more. “Jupiter” was the name of an oil tanker and a shipping company under United States' sanctions against Iran. That sanctions listing triggered concerns at the Fed.
  50. 50. 50 3.2 Complete overview of the attack (5/8) The 81 million USD was deposited into three accounts at a Rizal branch in Manila on Feb. 4. These accounts had all been opened a year earlier in May 2015, but had been inactive with just 500 USD sitting in them until the stolen funds arrived in February this year.
  51. 51. 51 3.2 Complete overview of the attack (6/8) Another 20 million USD intended to be sent to Pan Asia Banking have been blocked later in the correspondent bank funds transfer routing process (Deutsche Bank). the hackers misspelled the name of a non-existent NGO, Shalika Foundation, by writing "fandation" instead of "foundation". This prompted the Deutsche Bank, a routing bank, to seek clarification from the Bangladesh central bank, thereby stopping the transaction.
  52. 52. 52 3.2 Complete overview of the attack (7/8) But the 81 million USD that went to Rizal Bank in the Philippines was gone. It had already been credited to multiple accounts, reportedly belonging to casinos in the Philippines They were transferred by a money transfer (remittance) company Philrem Services Corporation.
  53. 53. 53 The printer error A printer "error" helped Bangladesh Bank discover the heist. The bank's SWIFT bridge (running Alliance Access) was configured to automatically print out confirmations back from correspondent banks. The printer works 24 hours so that when workers arrive each morning, they check the tray for transfers that got confirmed overnight. But on the morning of Friday February 5, the director of the bank found the printer tray empty. When bank workers tried to print the reports manually, they couldn't. The software on the terminal that connects to the SWIFT network indicated that a critical system file was missing or had been altered. The problem is deemed to be an unwanted bug with the worm, a failure in the attack if one likes, since the worm was programmed to remove confirmation of fraudulent payments from the confirmation stream being sent to the printer. When they finally got the software working the next day and were able to restart the printer, dozens of suspicious transactions spit out. The Fed bank in New York had apparently sent queries to Bangladesh Bank questioning dozens of the transfer orders, but no one in Bangladesh had responded. Fortunately, in this case, the Fed clarification requests and the Deutsche Bank request would have anyway alerted the bank, so even if the worm had functioned correctly, the bank would have been made aware of the attack. 3.2 Complete overview of the attack (8/8)
  54. 54. 54 3.3 Timeline of the attack (1/9) In every movie about bank robberies, timing is presented as critical. Here as well timing has been an essential concern and brilliantly mastered by the attackers.
  55. 55. 55 3.3 Timeline of the attack (2/9)
  56. 56. 56 3.3 Timeline of the attack (3/9)
  57. 57. 57 3.3 Timeline of the attack (4/9)
  58. 58. 58 3.3 Timeline of the attack (5/9)
  59. 59. 59 3.3 Timeline of the attack (6/9)
  60. 60. 60 3.3 Timeline of the attack (7/9)
  61. 61. 61 3.3 Timeline of the attack (8/9)
  62. 62. 62 The timing was perfect ! A unique Week-End preceded by a business holiday in Bengladesh and followed by a the Chinese New Year holiday in the Philippines. An ideal situation ! The Fed couldn't get the required clarification from Bangladesh Bank on the next day, because of banking holidays in Bengladesh, and as such didn't attempt to recover the 5 orders that passed immediately. On Monday, the stop orders sent by the Bangladesh bank couldn't be processed by the RCBC to freeze the funds since it was a banking holiday in Philippines. In addition, the chinese new-year and the volume of exchanges in casinos at such occasion made the laundering of the money straightforward, not to mention the Philippines weak AML laws and practices. 3.3 Timeline of the attack (9/9)
  63. 63. 63 Getting the money out is also difficult ! Here the laundering scheme was both easy and magnificent. money has been laundered through the Philippines. The 81 million USD was sent to the Philippines to accounts at the Rizal Commercial Banking Corp (RCBC) held by two Chinese nationals (false identities). The money was moved to several Philippine casinos and then subsequently to international bank accounts. Laundering money in a Casino is fairly straightforward... Philippine casinos are exempted of anti-money laundering law that requires them to report suspicious transactions, making them an attractive target for this kind of crime. The volumes and the kind of operations during Chinese New-Year makes everything absolutely untraceable. Bamm ! Done. Money Laundered. 3.4 Laundering of the money
  64. 64. 64 4. Aftermath
  65. 65. 65 What Does the Heist Mean? Even if the hackers didn't compromise the SWIFT network itself, such that all of SWIFT banks were vulnerable, it's still bad news for the global banking system. By targeting the methods that financial institutions use to conduct transactions over the SWIFT network, the hackers undermine a system that until now had been viewed as stalwart. 4. Aftermath (1/6)
  66. 66. 66 Who's to Blame? Only the attackers of course ! But still, without such amazing security weaknesses in the Bengladesh Central Bank and with better control and stricter procedures in place at the Fed, the attack would not have been possible. Of course, the Bangladesh Bank blames the Fed for allowing the money transfers to go through instead of waiting for confirmation from Bangladesh. The Fed counters that it contacted the bank to question and verify dozens of suspicious transfers and never got a response. Authorities at the Fed said that workers followed the correct procedures in approving the five money transfers that went through and blocking 30 others. Bangladesh Bank says the Fed bank should have blocked all money transfers until it got a response on the ones it deemed suspicious. And so on ... 4. Aftermath (2/6)
  67. 67. 67 The Bengladesh Bank Aside from the loss of money, the Central Bank's governor, Atiur Rahman has resigned due to the incident. The bank promised to improve their cyber-security and ensure this kind of bank heist is prevented in the future. 4. Aftermath (3/6)
  68. 68. 68 The Fed The immediate result of the breach for the New York Fed is a claim from the Bangladesh Bank for payment of lost funds and a potential lawsuit. The Fed focused security resources on other priorities, such as preventing money-laundering and enforcing U.S. economic sanctions, officials with knowledge of the bank's security operations told Reuters. Fed officials took some comfort in the fact that SWIFT's security software had never been cracked. The Bengladesh heist forced the Fed to invest massively in Fraud prevention solutions and better transaction monitoring systems. 4. Aftermath (4/6)
  69. 69. 69 Philrem services The Philippine central bank has revoked the license of a remittance company that anti-money laundering investigators said was used to transfer some of the 81 million USD hackers looted from the Bangladesh central bank. The Anti-Money Laundering Council (AMLC) issued a complaint against Philrem Service Corporation on April 28, accusing it of creating a fog around transactions and washing the stolen funds via a web of transfers and currency conversions through Philippine bank accounts, before moving the cash through casinos in Manila and junket operators. 4. Aftermath (5/6)
  70. 70. 70 The Philippines The Philippines' involvement in the 100 million USD Bangladesh Bank heist, which has risked its return to the FATF gray list, showed the urgency of putting more teeth into the Anti-Money Laundering Act (AMLA). The law, which was first introduced in 2001, left casinos out of the list of entities required to report suspicious transactions to the AMLC. There were efforts in the Senate to include this provision in the amended AMLA in 2013, but this was blocked by some lawmakers and casinos lobbies. 4. Aftermath (6/6)
  71. 71. 71 5. Conclusion
  72. 72. 72 The heist scares the whole financial system worldwide If the hackers had indeed managed to get away with the terrifyingly large amount of 1 billion USD, this would have easily been the biggest bank heist in history, not to mention cyber heist. Interestingly, these kinds of attacks will be increasingly common and if banks aren't updating their security processes and maintaining their network infrastructures, and the success rates of these attacks will only go up. Imagine the following if the worm had functioned correctly and not blocked the printer, if the Deutsche bank didn't find the typo, if the Fed didn't become suspicious because of the Jupiter keyword, Then the attack might have been a complete success. Not only the attackers would have successfully withdrawn almost one billion US dollars from the Bangladesh bank VOSTRO account at the Fed, but the attack might have been noted only weeks after the facts. 5. Conclusions (1/2)
  73. 73. 73 Imagine that the same attack succeeds against european bank for instance In the US and in Europe, the SWIFT interfaces are integrated in an STP (Straight Through Processing) way. There is no such thing as manual reconciliation from some papers printed on a printer. The handling of confirmations and position reconciliation is mostly completely automated. As such, the same attack succeeding in Europe for instance might take months to be discovered and uncovered, only a the moment the big position reconciliations between NOSTRO and VOSTRO accounts in correspondent banks are triggered. Even further, imagine that one of these banks at stakes suspects something They would use SWIFT again to reconcile their views of the truth (MT109 and MT999). These messages can be hacked just as well, in which case the theft may remain uncovered for months. 5. Conclusions (2/2)
  74. 74. 74 Thanks for listening

×