In February this year, hackers broke into Bangladesh Bank and stole $951 million from the central reserve. It took six months to plan and a mere four days to execute and the attackers believed they had erased all traces that they were ever there. They were wrong.
Within months, intelligence teams, including the one at BAE Systems, had not only recovered the hackers' code to see how they planned the attack, they were able to link it to the Sony Pictures hack of 2014 and a toolset used by a North Korean criminal gang.
Comparing the bank heist to the casino one in George Clooney film Oceans Eleven, Adrian Nish, BAE's head of threat intelligence in its Applied Intelligence Division UK, detailed the preparation, the code used and how intelligence was used to help find the source at this year's inaugural WIRED Security event.
"The attackers had several stages they had to go through. Firstly, the set up. Just like in Oceans Eleven, there was a lot of planning put in place to get the right team members," Nish explained.
"This started in May 2015; almost six months before, when the attackers set up bank accounts in Manilla, Philippines and Sri Lanka. They then broke into the bank's network and waited for the perfect moment to strike."
This strike came on Thursday, February 4 2016. In Bangladesh, Thursday is the end of the working week so attackers waited until the last possible moment to launch. The following Monday was also Chinese New Year, so banks in the Philippines would be closed.
This gave the criminals a four-day window to execute the heist and leave relatively unseen.
In total, the gang attempted to make 35 transactions, all sent through the Federal Reserve in New York where Bangladesh held its foreign reserves. Of these, five were let through and only one was detected as malicious. This gave the criminals a windfall of $81 million. A fraction of the billion dollars they were after, but still a huge sum of money.
Nish continued that the hackers were able to subvert the systems the bank were using by creating custom malware which they implanted into the network to cover up their tracks.
"We found some of the code used," explained Nish," and when we analysed it, we found how the attackers managed to manipulate the system using Swift Alliance Access."
Swift Alliance Access (SAA) is the main messaging software used by financial organisations. Bangladesh Bank has this software on its network and the attackers were able to run patches on the software so the code would modify Swift without being detected.
By overwiting logic in the memory, the attackers infiltrated the software by flipping just eight bits of code. "Similar to flipping a door on a vault," added Nish. Behind that, the attackers had access to billions of dollars in the accounts in the same way they would to cash inside a vault.
This code was where the attackers were reading and writing certain files, running under the OS-level administrator system. They had root access to manipulate the software and hide their tracks and were even able to manipulate the messages sent over Swift to mimic the kind of language used in the industry.
"This was not only a heist," continued Nish. "We were able to take some of the code and look for evidence of that code used elsewhere. This wasn’t a unique case.
"The Bangladesh Bank attack overlapped with other cases we investigated including the Sony Pictures attack from 2014. The Sony hack was attributed by the US to North Korea and this meant we had a clue to who was behind it."
Nish said that once the attackers got onto the Bangladesh Bank system, they could monitor what legitimate users were doing. Typically this would be segregated.
Nish also said some banks don’t do enough to test their system security once it's been set up and this ultimately comes down to training.
"The people we have defending our systems need training; how to spot attacks, how to set up security," said Nish. "There is always more you can do to secure systems from using new technology to new approaches, and businesses want to make sure they’re investing wisely.
"Having young, bright people doing the right training, getting involved with the hard technical skills and learning more communication is key. A lot comes back to communication. If you can find these people with these skills, we’ll all be in a better place."
Adrian Nish leads the Threat Intelligence team in BAE System’s Applied Intelligence division. His team tracks both criminal and national security threats to build a picture of the actors in terms of their motivation and capabilities. These insights feed the technical defensive systems deployed by customers as well as providing context for decision makers.
Adrian regularly advises Government and Business on evolutions in the threat landscape. He holds a PhD in Physics from the University of Oxford and is an Associate Fellow at the London-based defence think-tank RUSI.
This article was originally published by WIRED UK
