Imagine, just for a moment, stealing $951 million. What factors would you consider in accomplishing such a thing? Identifying the location of that much cash in one place for a start. Then gaining access to it, overcoming defence-in-depth including reinforced walls, floors and ceilings, 24-hour closed circuit television, combined with lighting, movement sensors, sluice gate entry and exits, vehicle barriers, time lock vaults, and a guard force which perhaps also uses dogs. Plus maybe a Quick Reaction Force provided by paramilitary law enforcement, or the military itself, not to mention their weapons, training and capabilities. How would you transport that amount of cash, and to where? A small truck and a number of additional criminals are needed to move the 9.5 tonnes of $100 bills, if using one vehicle, to a safe location. Provided you were not followed and caught in transit, that is. On balance, the likelihood of success could be considered as rather small.
So we can understand why the criminal mind finds it so attractive to attempt a cyberheist. Unfortunately, such minds are usually first to take advantage of loopholes in technology and processes. Add in good planning, the ability to transfer funds across international borders to relatively safe locations, an insider or two within the bank to help facilitation and we can see that the odds of success are much increased. Criminals will naturally target organisations perceived to have less defences, or less effective defences, in place than similar organisations.
In February 2016, the Central Bank of Bangladesh was targeted in an attempted cyberheist of $951 million. The consequences were huge: a national embarrassment, resignation of the chief governor of the Central Bank, resignation of the president of a commercial bank in the Philippines, and the financial regulator of that country imposing its largest ever fine of $52 million upon that commercial bank. External experts were required to find out what had gone on and how. As the story slowly emerges, it provides illumination into the planning required for activity of this scale. It was not the first attempt. Banks in Vietnam and Ecuador had previously been targeted, and what may be considered as a rehearsal, again another Bangladeshi bank in 2013 where $250 thousand was stolen.
Planning and preparation included opening numerous bank accounts using fictitious names in Sri Lanka and the Philippines, and probably other countries too. Having various routes to help change the stolen funds into various other forms, such as different currencies or casino chips, was required. This throws smoke across the money laundering trail, and delays the law enforcement pursuit, which inevitably follows, slowed even more by those same international borders.
Open source information indicates that electronic entry was gained to the Central Bank’s network by a criminal party from outside the country. This may have been facilitated by simple negligence or a lack of knowledge on the part of a bank employee, or by an insider actively leaving open a method of entry for them to gain access. Malicious software was installed a few weeks before the cyberheist, and appeared to harvest sensitive information concerning the SWIFT (Society for Worldwide Interbank Financial Communication) network, which is used by 11,000 banks around the world. It allowed the criminals to mimic a legitimate organisation and issue instructions for the transfer of funds from the Central Bank, across international borders, to other financial firms, which ultimately had those fictitious accounts.
The malicious software also massaged the confirmation messages required of a normal SWIFT transaction, by not allowing those messages to be printed. Anomalies would otherwise have been noticed by bank employees on the printed copies. A delay in printing was all that was required. The criminals needed to accelerate the movement of funds and change it into other monetary forms, so there was a specific time window in play. This was lengthened by conducting the cyberheist immediately before a weekend. The criminals needed to maximise their opportunity before the window was closed by any of a number of legitimate actors noticing something amiss.
Noticing anomalies did not take long, helping limit that window of opportunity. Transactions routed via Deutsche Bank and Pan Asia Bank were queried by those firms. Five transactions totalling $101 million were successfully withdrawn from a Bangladesh bank account. Of this, $81 million was routed to the Philippines, where all but $18 million evaporated into other monetary forms and then disappeared. Why route to the Philippines? Because there are gaps in its laws regarding the casino industry, hence changing funds into gambling chips, and so forth. Another $20 million routed to Sri Lanka was recovered successfully. The Federal Reserve Bank of New York blocked a further 30 transactions, at the request of the Central Bank of Bangladesh, totalling $850 million.
It is sobering to think of the detrimental impact to the country of Bangladesh, should all $951 million have disappeared. Massive economic consequences, no doubt, most probably leading to social ones too. Stealing $63 million is not a trivial amount. We can be sure that there are others who will look to penetrate any weaknesses in a central bank’s defences, facilitated by willing or coerced insiders. No doubt India is doing all it can to dissuade criminals from targeting its critical national infrastructure and assets, however a thorough audit of its current cyber defences would be a prudent measure. The cyber heist risk is here to stay.
Peter Probert is Director of Spearhead Advisory Ltd.