Week 1. The Bangladesh Bank Theft



Ana, Kirsten, and Alexandra, in their article, SWIFT Issues Cybersecurity Warning Following Bangladesh Central Bank Theft, on April 4th, 20016 reported a cyber-theft case.  The article reported that hacker successfully stole $81 million from the Bangladesh central bank.  According to Ana, FireEye Inc. and World Informatrix investigated the incident (Badour, 2016).  The two companies reported that the hackers installed a malware into the bank's server and monitor its activity for around two weeks.  The malware was identified as Dridex (Bangladesh 2016). The investigators also said that the hackers used keylogger program to steal the bank's SWIFT credentials.  The credentials were used to make the transaction after several logins during 14 day period.

After a little more research, I found more details about the case.  The hackers made three large transactions, $20 million to the Shalika Foundation account at a bank in Sri Lanka, $81 million to five different accounts in Rizal Commercial Banking Corporation (RCBC), $851 millions to other accounts (Bangladesh Bank robbery. 2016).  The transactions took place on the 4th and 5th of February, 2016 which was three days before Chinese New Year.  The $20 millions transferred to Shalika Foundation was stopped due to the incorrect spelling of the recipient name.  The bank official at Pan Asia Bank of Sri Lanka, through which the transfer took place, noticed the transaction amount and request for verification.  The third transaction of $851 million was blocked by the Federal Reserve Bank of New York due to suspicion of the transaction amount.  The $81 millions were successfully transferred because it entered Asia on the important holidays period, the Chinese New Year holidays.  The Bangladesh Bank requested RCBC to freeze the transaction but was not successful because of the holidays.

Based on the information, the Banks did have the proper procedures for handling large transactions.  Because of the procedure, $851 million were blocked by the Federal Reserve Bank and $20 million were blocked by Pan Asia Bank.  The $81 million that went to RCBC and successfully withdrew from hacker accounts indicate that the hackers were well organized.  They exploited the time, the place, and the regulation.  The one thing that was missing is the coordination between Banks.  Suppose they had an automated protocol put a transaction in a state that requires bank official to review then the $81 millions transfer could fail.

Let's go back to the malware and keylogger program that the hackers somehow installed in the bank's computers and servers.  There are possibly two scenarios: 1. the hackers installed the keylogger first to gain access and then install the malware to monitor the servers for transaction procedures; 2. the hackers installed the malware on the bank's servers first and worked their way up to the terminals to steal the credentials.  Based on the information provided, the second scenario seems to fit more.  According to the report, Badour mentioned that the malware, Dridex, was on the servers for around two weeks before the transfer of the funds.  Dridex is the malware that exploiting weaknesses in macros in Microsoft Word or Excel to gain access to bank credentials (Dridex).  Assume that scenario two is the actual process the hacker took, how did Dridex get on the server? How did Dridex make its way to the terminal to steal the SWIFT credentials? There are two cases that I can think of:  The first is that the hackers had insiders who help them get the malware into the servers and then opened the infected file in the terminals.  The second is that the hackers used weaknesses in the communication protocols to inject the malware into the servers.  After getting on the servers, the malware then either manipulate the server to send an infected file up to the terminal by mean of email or user request.  I believe this is the area where confidential and availability of information is important.  If the bank structured their infrastructure in such a way that it requires multiple levels of verification,  the hackers would have had a hard time getting the transfer completed.


References

Badour A., Thompson K., Aliferis A. (2016, April 4). SWIFT issues CyberSecurity warning following Bangladesh central bank theft.  Retrieved from http://www.canadiancybersecuritylaw.com/2016/04/bank-robbery-2-0-swift-issues-cybersecurity-warning-following-bangladesh-central-bank-theft/

Bangladesh Bank robbery (2016).  In Wikipedia The Free Encyclopedia.  Retrieved from https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist

Dridex (n.d.). In Wikipedia The Free Encyclopedia.  Retrieved from https://en.wikipedia.org/wiki/Dridex

Comments

Post a Comment

Popular posts from this blog

Week 4 - STRIDE: Spoofing

Image
On week one, I briefly mentioned STRIDE as a method for threat identification. From this week, I want to go into a little more detail on each of its Mnemonic.  First, let's talk a little more about STRIDE.  In security , there are three fundamental aspects of the asset when speaking of security.  They are Confidentiality, Integrity, and Availability, which are referred to as the CIA triad.  To protect the asset means to protect its confidentiality, integrity, and availability.  STRIDE provides six ways to identify threats that would target the three areas. Spoofing: pretend to be someone or something that has legitimate permission to access the asset.  It is one of the ways to break the confidentiality . Tampering: ways to change the integrity of the asset. Repudiation: ways to obtain proves of violation Information Disclosure: access restricted information without permission (confidentiality) Denial of Service: ca...
Read more

Week 12 - The Final Words

Finally, I get to take a week of break.   This is the busiest Term so far.   Lots of demands from work plus things keep breaking at home made it tough.   I am glad it over.   With that said, I learned much from this class. In the first four weeks, I got to understand the threat modeling process and different threat modeling tools.   In a nutshell , threat modeling is about understanding your current state of the network; find all vulnerabilities, threats, and risks; formulate action plan and priority.   The process is carried out in a systematic way .   Initially, I thought the threat modeling is a process for finding the threats.   The name sounds small, but it also covers asset identification and action planning, as I realized after the comment on my assignment.  I spent the following weeks working on a security project where I apply the threat modeling process.   The first phase in threat modeling is the asset assessmen...
Read more

Week 7 - STRIDE: Repudiation

Image
In 2000, couple individuals at Signal Lake were sued for $25 million by a man named Suni Munshani.   He alleged that Signal Lake’s officers promised him a large amount of asset.     Munshani provided an email that purportedly sent from the dependents as the proof for his allegation.   The court ordered security professional to investigate and concluded that the plaintiff altered one of the emails the dependent sent to him.   Although this does not relate to repudiation, it brings an important aspect of non-repudiation.   (memecrunch.com) Repudiation, in short, is the denial of any wrongdoing , which is the very first thing anyone would do when they get caught doing something illegal.   Professional hackers learn to cover their track very well.   Likewise, security professionals learn to track.   For the email tampering case I mentioned, the defendant would not win the lawsuit if old emails weren’t available for invest...
Read more