Unidentified hackers recently stole approximately $81 million from the Federal Reserve Bank of New York after breaching Bangladesh Bank’s systems in early February and stealing its credentials for payment transfers, Reuters reports.
According to The Inquirer, the funds were then transferred to a bank in the Phillippines, where they were transferred to three different casinos, converted into chips, converted back into cash, and transferred to accounts in Hong Kong.
Another transfer request for $20 million was halted by a routing bank, Deutsche Bank, because the hackers had misspelled the word “foundation” as “fandation.” The Fed also notified Bangladesh Bank of an unusually large number of payment instructions and transfers to private entities rather than banks, and another $850 to $870 million in transfer requests were stopped.
Abul Maal Abdul Muhith, Finance Minister of Bangladesh, told BloombergBusiness that the Federal Reserve is responsible for the stolen funds. “We kept money with the Federal Reserve Bank and irregularities must be with the people who handle the funds there,” he said. “It can’t be that they don’t have any responsibility.”
Still, a spokeswoman for the Federal Reserve Bank of New York said the payment requests followed standard protocols.
“To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised,” the Fed stated on March 9. “The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.”
On March 14, Bangladesh Bank governor Atiur Rahman resigned, the New York Times reports. “Such cyber attacks are happening across the world,” Rahman said. “We are new in facing such attacks. We lack experience.”
“Attackers continue to penetrate the cyber defenses of enterprise organizations, lurking for weeks and months at a time, gathering confidential and workflow data in an attempt to piece together enough information to facilitate these types of sophisticated attacks,” TrapX Security general manager Carl Wright told eSecurity Planet by email.
“In this case, the attackers were assuredly sloppy in many areas as they moved laterally to acquire that knowledge and perpetrate the attack in the first place,” Wright added. “And because the attackers were sloppy, the bank was able to stop the exfiltration of money after $81M in losses.”
“However, it is unfortunate that the banking institution did not have sufficient capabilities for post-breach lateral detection, which would have stopped the attack before it occurred,” Wright said. “That critical post breach lateral detection is the role of deception technologies, a crucial component of breach detection and diversion operations.”
Recent eSecurity Planet articles have examined how to secure corporate data in a post-perimeter world and offered 10 tips to mitigate data breaches.