Bangladesh Bank Robbers Compromised Global Financial System to Hide Their Tracks
Network intrusion; Unauthorized use of system administrator privileges; Software vulnerability
The attackers who, as reported earlier, stole $81 million from the Bangladesh central bank in February probably hacked into software from the SWIFT financial platform that is at the heart of the global financial system, according to BAE Systems security researchers.
SWIFT says it is aware of malware targeting its client software, called Alliance Access. An organization spokeswoman said SWIFT on April 25 released a software update to block the malware, plus a warning for financial institutions to scrutinize their security procedures.
New evidence suggests that hackers manipulated the Alliance software, which banks use to interface with SWIFT's messaging platform, in a bid to cover up fraudulent transfers that had been ordered.
A BAE alert includes some technical indicators that banks can use to thwart similar attacks. Those indicators include the IP address of a server in Egypt the attackers used to monitor use of the SWIFT system by Bangladesh Bank staff.
The malware, named evtdiag.exe, was designed to hide the hacker's tracks by changing information on a SWIFT database at Bangladesh Bank that logs information about transfer requests.
The malware was likely part of a broader attack toolkit that was installed after the attackers obtained administrator credentials. It is still not clear exactly how the hackers ordered the money transfers.
BAE found evtdiag.exe on a public malware repository and had not directly analyzed the infected servers.
The malware was compiled close to the date of the heist, contained detailed information about the bank's operations and was uploaded from Bangladesh.
While that malware was specifically written to attack Bangladesh Bank, the general tools, techniques and procedures used in the attack may allow the gang to strike again.
Once it has established a foothold, the malware can delete records of outgoing transfer requests from the database and also intercept incoming messages confirming transfers ordered by the hackers.
It is able to then manipulate account balances on logs to prevent the heist from being discovered until after the funds have been laundered.
Adrian Nish, BAE's head of threat intelligence, said he had never seen such an elaborate scheme by criminal hackers.
"I can't think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in," he said. "I guess it was the realization that the potential payoff made that effort worthwhile."
April 25, 2016
Link to report
location of breach
location of perpetrators
date breach occurred
6th February 2016 and a couple of days prior
date breach detected