The Global Payments Network was Hacked in February 2016 and $81M stolen

Posted on Posted in Hacking

In Febuary this year Hackers broke into a Bangladeshi bank and tried to steal one Billion dollars.  They made off with $81 Million (unrecovered!) before they made a small mistake and were stopped.  Stealing $1 Billion is huge, but especially for Bangladesh, whose total foreign currency holdings are only $27 Billion.

How is this even possible?

Banks move money around the world using a system called SWIFT,  The SWIFT messaging platform is used by 11,000 banks and other institutions globally.  It doesn’t route actual cash but it does send payment orders that must be settled by the banks and institutions so instructed moving money between designated accounts.  
SWIFT security relies on the endpoints being secure.  Those endpoints are in banks so they should be secure right?
You’d have thought that Banks employed (or are required to employ) an almost money no object security build to protect THE GLOBAL PAYMENT NETWORK just in order to take part as any chain is only as strong as its weakest link.
Unfortunately you’d be wrong, Reuters carries this delightful quote “Bangladesh police investigators said last week that the bank’s computer security measures were seriously deficient, lacking even basic precautions like firewalls and relying on used, $10 switches in its local networks.
So access to the GLOBAL PAYMENT NETWORK was protected by a 2nd hand hub bought off eBay and protected by NO firewall.

But that’s just a Bangladeshi problem right?

Wrong!  The hackers used a series of SWIFT instructions to move money from accounts held in the USA by the Federal Reserve Bank of New York to an account for Rizal Commercial Banking Corporation in the Philippines where it was then washed through Casinos – Midas Hotel and Casino, City of Dreams, and Solaire Resort and Casino, and then wired back to various international accounts, using the common trick of laundering the money by claiming it as gambling proceeds and has now disappeared.  At no time did any money goto Bangladesh.

How did they do it?

Well first off they had to breach a Banks security.  They obviously didn’t try JPMorgan or RBS, they went for a bank that bought their networking kit from a tat bazzar and then didn’t install it properly.  It must have taken precisely zero time for them to break into the GLOBAL PAYMENTS NETWORK!!!
Once inside the network, the hackers modified SWIFT client software known as Alliance Access to both make the transactions and hide the evidence. This is a bit more (but not very much so) difficult.
Alliance Access reads and writes SWIFT messages to files on the filesystem, and it records transaction information in an Oracle database. The hackers created malware that removed integrity checks within the Alliance software and then monitored the transaction files sent through the system, searching the payment orders and confirmations for specific terms.
When a message with one of the specific terms was found, the malware would do different things depending on the kind of message. Payment orders were modified to increase the amounts being moved, updating the Alliance database with new values. Confirmation messages from the SWIFT network were also modified. Confirmations are printed and stored in the database. Before being printed, the malware would alter the confirmations to show the original, correct transaction value; it also deleted conformations from the Alliance database entirely.

So why didn’t they get all the money?

The hackers attempted to steal US$951 Million, in a series of three dozen SWIFT wire transfers, however a Federal Bank employee found some misspellings in the name of the organization used for one of the transfers. Five transfers were completed totaling US$101 Million, the fifth, a $20M transfer to a non-profit organization in Sri Lanka was reversed due to the spelling error, which called them “Shalika Fandation” instead of “Foundation,” causing a deeper look at the transfer, and luckily stopping an additional US$850 Million of queued transfers to other organizations.
So just luck and shaky spelling prevented EIGHT HUNDRED and FIFTY million dollars being stolen with NO alarm bells ringing.

How secure is the GLOBAL PAYMENTS NETWORK then?

Not at all by the looks of things. But it’s alright as SWIFT has announced they are be issuing “written guidance” to ensure their members are doing the right thing!
For instance PCI-DSS outlines the responsibility a Credit Card merchant has.  The Credit Card Merchant, say your local Hardware Store is not allowed to exchange credit card information with a financial services company before checking the security their networks, systems, and applications.  There are stiff penalties if a merchant does not do this, enough to put them out of business in some cases.
Somewhat incredibly SWIFT and the Federal Reserve Bank are allowed to move billions of dollars on behalf of banks that don’t have a firewall and have $10 routers bought second hand off the Internet!

Links
Bloomberg 
Reuters
Fortune
CyberCrime & Doing Time
Ars Technica
BAE Systems