Criminals in BB heist likely studied bank’s inner workings

The perpetrators of a $100 million digital heist at Bangladesh’s central bank had deep knowledge of the institution’s internal workings, likely gained by spying on bank workers, security experts said.

Unknown hackers breached Bangladesh Bank in early February, stole credentials for payment transfers and then ordered transfers out of a Federal Reserve Bank of New York account held by Bangladesh Bank (BB), according to Bangladesh Bank officials.

Bangladesh government officials blamed the Fed for the attack when they disclosed the loss. The New York Fed responded on Tuesday saying there was no evidence its systems were compromised in the attack, one of the biggest bank thefts in history.

The Fed said it followed normal procedures when responding to requests that appeared to be bbfrom Bangladesh Bank, which were made and authenticated over SWIFT. Belgian-based SWIFT, a member-owned cooperative that banks use for account transfer requests and other secure messages, declined to comment on specifics of the case.

Security experts said that to pull off the attack, cyber criminals had to first gather information about Bangladesh Bank’s procedures for ordering transfers, so that the fraudulent requests would not raise red flags.

In addition to stealing credentials for processing transfers, the hackers likely spied on Bangladesh Bank staff to get a deep understanding of the central bank’s operations, according to experts in banking fraud.

Kayvan Alikhani, a senior director with security firm RSA, said that in addition to user names and passwords for accessing SWIFT, the hackers likely needed to obtain cryptographic keys that authenticated the senders.

Such certificates can be copied and used by impostors if they are not properly secured, he said.

“You are only as good as your weakest link when getting access to the SWIFT network and doing a transfer,” Alikhani said.

In a round of robberies disclosed last year, a group dubbed the Carbanak gang hacked into a number of banks around the world, seized control of computers that access SWIFT, then ordered fraudulent transfers.

They siphoned money through SWIFT after observing how bank employees crafted their messages so they could follow correct protocols, said Juan Guerrero, a researcher with Kaspersky Lab, which studied the campaign.

“The genius of the attacker in the Carbanak case is taking the time to learn directly from the victim and thus bypass fraud prevention measures through sheer mimicry,” Guerrero told Reuters.

Another hacking method that could have been used is known as “social engineering,” where attackers play on human psychology to manipulate victims.

They get that information by hacking email accounts of employees who process transfers, said Tom Kellermann, a former member of the World Bank’s security team.

“They sit and watch regular communications to understand when somebody would be most receptive to a specially crafted social-engineering email instructing them to make the transfer,” said Kellermann, now chief executive of investment firm Strategic Cyber Ventures.

(Reporting by Jim Finkle; Editing by Jonathan Weber and Phil Berlowitz, Reuters)