The biggest cyber heist ever?

epa05212148 Rizal Commercial Banking Corporation (RCBC) Branch Manager Maia Santos Deguito (C) receives advice from her lawyers during the Senate hearing on the alleged 100 US million dollars illegally laundered in the Philippines at the Senate building in Pasay city, south of Manila, Philippines, 15 March 2016. The Philippine Senate started its inquiry into the alleged 100 million US dollars worth of illegal funds coursed through the banking system and casinos in the Philippines. According to reports, the suspected illicit funds were supposedly part of millions of dollars hacked from the overseas accounts of the central bank of Bangladesh. 81 million US dollars from the account of the Bangladesh Bank was transferred by the US Federal Reserve Bank of New York to the RCBC in the Philippines while the 20 million US dollars wire transfer to Sri Lanka was foiled. In a series of banking transactions, the suspected illicit funds in RCBC were then withdrawn and remitted to offshore accounts after these were moved through local casinos. The Philippine government, through the Anti-Money Laundering Council, the Philippine Amusement and Gaming Corp. (Pagcor) and the National Bureau of Investigation, is likewise investigating all related accounts.  EPA/MARK R. CRISTINO

It’s a big story that has stayed beneath the radar of most American media. Somehow, cyber criminals stole $81 million from Bangladesh’s central bank (its Federal Reserve). The theft surely qualifies as one of the biggest cyber heists ever. It’s also a reminder that the world’s financial systems remain vulnerable to cyberattacks from groups or countries more interested in making war — disrupting societies — than money.
Still, money is the big draw. “The financial system is the primary target of the most sophisticated cyber criminals,” says James Lewis, a cyber expert at the Center for Strategic and International Studies (CSIS), a Washington think tank. “This is where the biggest payoffs are. Banks are under constant siege [from hackers].”
Just what happened here isn’t clear. The money moved from Bangladesh’s account at the Federal Reserve Bank of New York to private accounts in the Philippines, from which it was channeled to other accounts, including those of some gambling operations and a casino. Authorities have been frustrated in following the trail further, because casinos there are not subject to the country’s anti-money-laundering laws. (This description of the heist relies heavily on excellent stories in The Wall Street Journal.)
The New York Fed has disclaimed any responsibility for the fraudulent transfers. In a statement, it said:
“There is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question. … The payment instructions in question were fully authenticated … in accordance with standard authentication protocols.”
Assuming the Fed’s defense survives scrutiny, it suggests — but doesn’t prove — an inside job at Bangladesh Bank (the central bank’s official name) and at least one bank in the Philippines. Were people bribed to reveal the access codes or to overlook suspicious transfers? Did the criminals plant people inside the bank to orchestrate the theft? We don’t know.
At a hearing in Manila, it was alleged that a branch manager at one Philippine bank
had more than $400,000 loaded into her car. Another source of confusion is that the
theft occurred in February but wasn’t revealed — even to other parts of Bangladesh’s government — until March. After the
disclosure, the head of the country’s central bank resigned.
What is known is that the scheme’s ambition far exceeded the $81 million that was transferred to the Philippines. The original goal was apparently about $1 billion to be conveyed through 35 separate transfers. Most of those transfers were never made.
Why? By one press version, doubts emerged when a word was misspelled on one transfer document. (The word “foundation” was spelled “fandation.”) By another story, the fact that so much money was going to private accounts stirred suspicions. It’s unclear whether someone at the New York Fed stopped the transfers and, if not, who did. Nor is it clear whether another $20 million was sent to Sri Lanka and the transaction was reversed, or whether the money was never sent.
Bangladesh Bank has hired an American cybersecurity firm, FireEye Inc., to solve the various mysteries. Among its early findings, according to The Wall Street Journal, is that the hackers may have penetrated the central bank’s computer system for several weeks before the transfers occurred. Possibly, 32 computers were compromised. This may explain how the access codes were obtained.
Whatever the final story, there are larger lessons. For starters, the New York Fed’s sweeping denial of responsibility is beside the point. Whatever the Fed’s direct involvement, it failed to spot a phony transaction before the funds were sent. Why was this? Can screening be improved?
What’s ultimately at stake is a stable global financial system. Financial networks depend on trust that what’s deposited won’t vanish, and that transactions are legitimate and not falsified. The loss of trust threatens to undermine payments networks and the reliability of financial record keeping. If criminals could do this to Bangladesh Bank, what could organized terrorists or hostile states do to advanced nations’ financial networks?
The theft confirms that most electronic networks are no stronger than their weakest links. “This tells us a lot about complex systems,” says Adam Segal, author of the recent book, “The Hacked World Order.” “Vulnerabilities constantly pop up somewhere in
the chain,” he notes. “More connectivity” — making networks more useful — “means more vulnerabilities” — making networks more defenseless. This dilemma defines
the Internet Age.
— Washington Post Writers Group


Robert Jacob Samuelson is a columnist for The
Washington Post, where he has written about business and economic issues since 1977, and is syndicated by the
Washington Post Writers Group

Leave a Reply

Send this to a friend