The Bangladesh bank heist was a cyberattack in 2016 where nearly $1 billion was stolen from the Bangladesh central bank. Hackers were able to breach the bank's systems and send fraudulent transfer requests via the SWIFT system. While most transfers were blocked, $81 million was successfully stolen and sent to accounts in the Philippines and Sri Lanka. An investigation found that the tools and techniques used match those of the Lazarus hacking group, which has been linked to North Korean state-sponsored cyberattacks. It was one of the largest bank heists in history and exposed vulnerabilities in the global banking system.

1. Bangladesh Bank
Heist
Mohammed Jaseem

2. Agenda
1. Abstract
2. Introduction
3. Case Presentation
4. Discussion
5. References
10-03-2021 CPT Case Study 2

3. Abstract
The Bangladeshian bank heist was a series of unauthorized
transactions made on an official computer of the central bank of
Bangladesh. The transactions were made using SWIFT system
to deliver the money in different accounts in Sri Lanka and
Philippines. The amount of money under the theft was nearly
$1 Billion, but most of the payment orders were blocked and
there have been some successful attempts to recover some
assets. Currently the origin of the attack has been connected to
the hacker group Lazarus and North Korea.
3

4. Introduction
As cyberspace has become an embedded element of contemporary
society, also banks have become vulnerable against cyber attacks.
Financial transactions all over the world are conducted digitally via
computer networks and banks are struggling with security issues in the
never-ending race against malicious hacker groups. Banks have
traditionally been perceived as trustworthy actors when it comes to
cyber security, but history knows multiple cases of successful cyber
attacks against banks. These successful and devastating attacks have
also lead to growing fear of cyber attacks amongst banks (Schuetze,
2016; Kuepper, 2017).
4
11-03-2020 CPT Case Study

5. Case Presentation Timeline of the
attack

6. Timeline of the attack
• The first initiatives for the Bangladeshian bank attack were made
in May 2015
• when four bank accounts were opened in Philippine bank for being
ready to future transactions. All of the accounts were not used until
the day of attack and were clearly established for attack only.
• The first problem in the audit process was made as none of these
accounts or their owners was authenticated in the process to
either check the validity of their owners or transactions.
11-03-2020
CPT Case Study 6

7. Timeline of the attack
• During the opening of a bank account this kind of procedure is not
unusual, but the bursts occurred in February 2016, should have
triggered actions in safe audit procedures.
• The breach to the Bangladesh Bank was made in January, 2016
• The access to bank’s servers made possible the breach to SWIFT
network and inject malware to it as it was not separated from other
parts.
11-03-2020
CPT Case Study 7

8. Timeline of the attack
• It is very likely that the attackers also installed a keylogger to get
the passwords for authorizing the transactions
• The target of the attack was the SWIFT Alliance Access software,
which is used widely in the banks around the world
• The attack itself was started in February, 4 in 2016 by making 35
payment instructions worth of $951M to Federal Reserve Bank
11-03-2020
CPT Case Study 8

9. Timeline of the attack
• The first five of the transactions were completed, but the
remaining were successfully blocked partly because of the
failures made by the attackers.
• The targets of the payments were in the Philippines and Sri
Lanka worth of about $100M.
• The unauthorized messages were notified in the Bangladesh
bank during the February 8
11-03-2020
CPT Case Study 9

10. Case Presentation Detection

11. Detection
• Guardian (2016b) reported that a bank heist worth almost 1
billion US dollars had been averted
• thanks to a spelling mistake in the payment transaction,
which prevented the automatic system from completing the
transaction
• As a result, Deutsche Bank had flagged the transaction as
suspect
11-03-2020 CPT Case Study 11

12. Detection
• Nevertheless, as the transaction had been approved by the
Fed, it was forwarded to Sri Lanka. There, the transaction
was caught by a banking official in the receiving bank as the
transfer was unusually large for Sri Lanka
• Before clearing the transfer, the Sri Lankan official had
contacted Deutsche Bank, which responded that the transfer
is indeed suspect.
11-03-2020 CPT Case Study 12

13. Detection
• As the recipient turned out to be a fake entity, the bank was able to
freeze the funds and ultimately return them to the originating bank
• Out of the reported total sum $870m of all transactions, the attackers
managed to transfer only $81m
• Fed alerted the central bank of Bangladesh after detecting that the
number of transfers to non-banking entities had surged. Without the
spelling mistake and the diligent work of banking officials, the attackers
could have got away with a way more substantial sum of money after
successfully inserting the forged transactions to the SWIFT network.
11-03-2020 CPT Case Study 13

14. Case Presentation Identity of the
attacker

15. Identity of the attacker
• the attacker did try to remove any evidence from the bank’s
systems, Kaspersky (2017a) managed to access some of the
data through backups of the systems
• The recovered files indicate, that the techniques and tools
used in the attack can be linked to a group known as
Lazarus.
11-03-2020
CPT Case Study 15

16. Identity of the attacker
• Kaspersky summarizes the activities of the Lazarus group as
follows:
“It’s malware has been found in many serious cyberattacks, such as the
massive data leak and file wiper attack on Sony Pictures Entertainment in 2014;
the cyberespionage campaign in South Korea, dubbed Operation Troy, in 2013;
and Operation DarkSeoul, which attacked South Korean media and financial
companies in 2013.”
11-03-2020
CPT Case Study 16

17. Identity of the attacker
• malware is identical to the malware used in the some of the
incidents mentioned above.
• Even though parts of the code have been modified, probably
in order change the signature of the malware and avoid
detection by automated traffic analyzing tools, the malware
samples from different incidents share some obscure
techniques
11-03-2020 CPT Case Study 17

18. Identity of the attacker
• which suggests that payload used in both attacks could come
from the same author or group.
• One of the obscure techniques found by Kaspersky (2017a)
is the complete rewrite of file contents and renaming the file
before deletion. Rewriting the file content, possibly multiple
times, is commonly used to try to remove the data from the
physical device and hinder forensic data recovery attempts.
11-03-2020
CPT Case Study 18

19. Identity of the attacker
• However, when combing through logs of a more recent
incident linked to the Lazarus group, Kaspersky (2017b)
found a link to the North Korea
• While criminals usually mask their real location and IP
addresses by using VPN services and proxies, the server
logs of a seized Command & Control server indicated, that
the server had been accessed once from a North Korean IP
address.
11-03-2020 CPT Case Study 19

20. Identity of the attacker
• While IP address is not really a solid evidence for North
Korea’s involvement in the group’s activities, it is nevertheless
compelling to consider, that the connection could indeed
originate from the operator’s real IP address
• It is entirely possible, that either human error or
misconfiguration has lead some of the operator’s network
traffic to be routed directly to the host instead of being routed
through a network of proxies and VPNs.
11-03-2020 CPT Case Study 20

21. Discussion conclusion

22. Conclusion
• In addition to the monetary loss of $81m, the incident severely harmed
the trust in the IT systems of the global banking sector
• The SWIFT’s model seems to have failed to provide a layered security
approach, which allowed the attackers to exploit the system without
compromising the core servers of the SWIFT network
• SWIFT has taken action and warned the member banks about the
growing threat against the financial network, but the potential scale of
damage presented in the Bangladesh Central Bank case calls for more
concrete measures of system-level revision of the financial network
11-03-2020 CPT Case Study 22

23. Conclusion
• The weekend protocols also should be considered as a
vulnerability in banking sector
• The success of the heist was mostly relying on timing during
weekend: the lack of sufficient monitoring and means of
communication during weekend made it possible that the
unauthorized transactions were noticed not until four days
after the attack
11-03-2020 CPT Case Study 23

24. Conclusion
• Kaspersky however as a Russian company has also pointed
North Korea’s possible involvement in the bank heists
conducted by Lazarus. Whoever or whatever organization
was eventually behind the bank heist, the most important
thing is to focus on revisioning and enhancing the
cybersecurity of financial messaging networks and the
cybersecurity strategies of individual banks.
11-03-2020 CPT Case Study 24

25. “Unless and until our society recognizes
cyber bullying for what it is, the suffering
of thousands of silent victims will
continue”
Anna Maria Chavez
11-03-2020 CPT Case Study 25

26. Thank you
Mohammed Jaseem
Jaseem@relicstudio.dev
www.jaseem.tech
11-03-2020 CPT Case Study 26