CyberArk’s Asaf Hecht and Lauren Horaist have given iTWire an exclusive inside look at the bank heist. The cause is puzzling and the investigation still drags on but one thing is for sure – it could have been prevented.
What happened? $81 million was withdrawn from the Bangladesh Bank’s account with the Federal Reserve Bank of New York. It was then washed via the Philippines and the money trail ends there.
The money trail
On 15 May, 2015, bank accounts each containing one dollar were opened at the Rizal Commercial Banking Corporation (RCBC). They lay dormant until Feb 4, 2016.
On 4 February, 2016 hackers used the Bangladesh Bank's account with the Federal Reserve Bank of New York, ordering 35 transfers worth $951 million, the bulk of which to be transferred to RCBC Jupiter, Philippines branch.
The Federal Reserve Bank did not execute 30 of the 35 transfers due to ‘lack of details’. The remaining five transfers worth $101 million could not be blocked, but $20 million was later salvaged. This was after an instruction to a fake Sri Lankan foundation was put on hold because of a typographical mistake. But $81 million made it to the RCBC and disappeared.
From here on in it is a story of how the hackers got the money out of the bank and there is a very comprehensive article and timeline here.
A perfect crime - read on
CyberArk says this was almost the perfect crime. $81M dollars, placed into legitimate ‘fake’ bank accounts, quickly withdrawn and washed via Philippine casinos, and added intrigue as a cyber researcher was abducted and a bank employee pleads the fifth – no self-incrimination.
To understand how the money was transferred banks use the SWIFT system – a private, member-owned financial services co-op that provides a secure network (SWIFTNet) through which 11,000 institutions in 200 countries can send and receive monetary transactions. Once a transaction is requested (access control), authenticated, and authorized it is done!
Hackers either got into the RCBC via spear phishing, a targeted drive by download attack, or as highly suspected access to an insider’s security credentials.
Once inside they were able to the harvest credentials from infected systems and use those credentials to laterally move throughout the banks IT network. Reports indicate that 32 machines were accessed by the attackers before they were able to cross into the SWIFT-connected systems.
A SWIFT crime
The SWIFT-connected systems were owned and managed by Bangladesh Bank and were configured with SWIFTNet Link (SNL) software, which allowed these machines to securely connect to the SWIFT network. According to an assessment by the incident responders, once the attackers were inside the SWIFT-connect systems, they appeared to operate exclusively with local administrator accounts.
Banks typically separate their SWIFT-connected systems from the rest of their IT network. Until October 2015, Bangladesh Bank had done this too. However, it launched a new service called Real Time Gross Settlement (RTGS) that directly connected it to both the IT network and the SWIFT-connected systems. This meant no air gap and gave attackers an easy path from compromised IT systems to highly sensitive SWIFTNet Link systems.
The attackers installed “SysMon in SWIFTLIVE” to monitor all activity. This enabled them to learn how the systems functioned, how financial messages were sent and identify connected services. One service the attackers discovered was related to the printers. Every time an order was sent or received, it was automatically sent to a printer. To keep their actions under the radar, the attackers used their privileged access to disable the connected printer and cover their tracks. When bank employees noticed the printer was not working, they assumed it was a simple printer error – not an indication of an attack in progress.
Once inside the systems, the attackers were able to capture the digital certificates needed to send messages, as well as the static passwords that Bangladesh Bank used to protect access to the certificates. Unlike other banks, Bangladesh relied only on single factor authentication, which is far easier to crack. With the necessary credentials in hand and knowledge of the processes, the attackers were next able to start sending financial messages through the secure, access controlled SWIFTNet systems while masquerading as legitimate, authorized users.
The attackers ordered a total of 35 transfers worth $951 million. Because they were using stolen privileged credentials from Bangladesh Bank, SWIFTNet authenticated the transactions and sent them on their intended recipient – the US Federal Reserve.
Perfectly timed as well – the funds were to be transferred on 8 February – Chinese New Year holiday when no one was around to answer questions.
A privileged crime
First, after breaking through the perimeter, the attackers captured administrative credentials (privilege access) from infected machines.
Second, using the stolen privileged credentials, the attackers laterally moved throughout the environment until they ultimately reached the SWIFT-connected systems. The attackers used the local admin account on each of the systems to monitor activity and harvest SWIFT credentials. Because all the passwords were static and there was no second factor of authentication, the attackers were able to gain persistent, privileged access to both the SWIFT-connected systems and the SWIFT software platform itself.
Next, in preparation for the final step, the attackers used their admin privileges to remotely disable the printer to prevent employees from discovering the fraudulent transactions. Lastly, the attackers used the stolen SWIFT credentials to send financial messages, thus initiating the 35 transactions.
Why Bangladesh Bank was an accident looking to happen?
Basically it was due to legacy decisions and poor inherent security.
It had unnecessary privileged access. As a best practice, standard business users should never have full local admin rights. CyberArk could have enabled Bangladesh Bank to remove local admin rights while still enabling users to elevate privileges when needed for approved tasks. Without local admin rights, it would have been much more difficult for the attackers to break in, move throughout the network and install monitoring software.
CyberArk solutions could have helped Bangladesh Bank secure their privileged account credentials. This includes the credentials for the remaining local admin accounts on their endpoints, domain admin credentials, privileged SSH keys and any other credential that provides access to a sensitive account or system. This also could have included the SWIFT user credentials. By centrally securing privileged credentials, controlling access to these credentials based on role, and enforcing multi-factor authentication before granting access, the attackers would likely not have been able to get the credentials needed to laterally move through the environment, reach the SWIFT-connected systems or execute the fraudulent transactions. And, even if attackers were able to harvest the credentials using keylogging malware or by stealing the hash, proactive credential rotation would invalidate the compromised credentials, making them useless to the attacker.
Another standard best practice is to segment off highly sensitive systems from the rest of the IT network. This is often seen in retailers who have separate PCI environments, in utilities who separate and airgap their ICS systems, and it should be seen in central banks in their SWIFT-connected environments. CyberArk can help organizations separate these highly sensitive systems from the rest of the network by establishing a single, highly controlled point of access into sensitive systems. By forcing all users through this single access point and closing down all other routes into the systems, companies can dramatically reduce the attack surface, granularly control exactly who is able to access what systems, and protect these systems from potential risks on users’ endpoints. As an added benefit, once all traffic flows through one location, organizations can easily monitor and audit exactly who did what, strengthening security and increasing accountability.
In today’s threat environment, in which attackers can easily masquerade as true users, its crucial that organizations also monitor and analyse all privilege account activity. These accounts protect the most sensitive data and assets, and as a last line of defence, security teams need to be able to quickly identity anomalous activity that could indicate an attack is in-process. In this case, had the Bangladesh Bank been monitoring SWIFT account activity, they could have been alerted to the abnormal login patterns, investigated what was going on, and stopped the attackers before they were able to execute 35 transactions.
Lastly, by controlling applications on endpoints and servers, organizations can apply application whitelisting policies that meet their risk tolerance. By doing this, organizations can proactively prevent unknown and malicious software from infiltrating the environment and detect when new applications enter and spread through the environment. In this case, Bangladesh Bank could have recognized the malware on the 32 infected systems during the early stages of the attack and blocked SysMon from running on the SWIFT-connected machines in the later phases.
While this attack required advanced planning, the attack methods used were not very sophisticated. With the proper tools and policies, this likely could have been prevented.