In fact, ‘Business’ is positively booming (for the tech savvy bank robber)
Before we begin, a relatively short time on Google provides a rough sense of scale to work with:
(Disclaimer: I spent far longer than I should have on these figures and had to move on, so I am entirely open to correction)
- The largest ever diamond heist was an estimated $118 million from Schipol Airport, Amsterdam on 25 February 2005. If applying inflation to normalize these figures, that’s around $143 million now.
- Considered the biggest art heist in history, 12 pieces worth a total of $300 million were stolen from the Gardner Museum in Boston, USA on 18 March 1990. Closer to $545 million today.
- A messenger carrying a suitcase full of bearer bonds, easily exchanged for £292 million in cash, was mugged in London on 2 May 1990. Although all but 2 of the 301 bonds were eventually recovered, the full case would now be worth around £650 million, or $925 million.
- Ignoring the $1 billion (of which approximately $650 million was recovered) that Saddam Hussein attempted to disappear with from the Central Bank of Iraq on 18 March 2003 (the day before Coalition forces began bombing the country), and the estimated $5.7 billion at today’s value that many claim was looted from Reichsbank, Germany by both the SS and Allied soldiers between 1938 and 1945, since I don’t consider either to be proper bank robberies in the sense we mean here, the largest bank robbery was $282 million stolen by the bank’s guards overnight with no confrontation from Dar Es Salaam bank in Baghdad in 2007. Now $322 million.
- In the midst of civil war in Lebanon, in order to fund the fighting, one group broke into several banks including the British Bank of the Middle East on 20 January 1976 when £25 million was plundered. That’s nearly £190 million or over $265 million today.
- Finally, looking for something that feels a little closer to the ‘traditional’ bank robbery, like you see in the movies, there was the United California Bank Robbery on 24 March 1972 estimated at $30 million, a world record at the time, and the Knightsbridge Safe Deposit Centre robbery on 12 July 1987 of an estimated £60 million. Now that’s $170 million and £157 million, or $223 million, respectively.
Compare these to the estimated $1 billion netted by the “Carbanak Hacker Group” over 2 years, from 2013 to 2015, by targeting over 100 financial organisations in 30 countries from behind computer screens with minimal personal risk, and you can see what direction the business of robbing banks is likely headed.
March brought big news
Not only did one source pick up activity that suggested the Carbanak group may be back in play, and gearing up to another attack, but news broke of another high tech heist that came close to netting unknown hackers almost $1 billion over multiple transactions in a single day.
Fortunately for Bangladesh Central Bank, the target of the attack, the fifth transaction raised flags resulting in the remaining 30 unprocessed transactions being queried too. This meant the hackers ‘only’ received $81 million of their loot, but when you consider that their discovery was purely due to a spelling error in the name of the recipient, nobody can really take any credit for stopping this thing.
How did they do it?
Of course we are still some way off from discovering the full picture, however it appears that the attack was the culmination of at least a year of planning. It is known that four accounts were opened with Rizal Commercial Banking Corporation (RCBC) in Manila using false identities on 15 May 2015, which remained dormant until the attack in February 2016.
It is speculated that a campaign of spear phishing – a highly targeted and customized form of email phishing that, unlike its very generic counterpart, leverages knowledge and personal information gained about the target and their genuine day to day interactions in order to trick them into believing that the malicious email really is from a trustworthy source – was launched against the Bangladesh Central Bank.
Whether by spear phishing or other means, it seems that by January 2016 the attackers had deployed malware inside the bank’s systems, allowing them to not only intercept and steal all the necessary credentials for the smart card controlled ‘SWIFT’ system used by banks for secure financial communication, but also to spy on workers completing legitimate transactions, probably for weeks, in order to gain an intimate working knowledge of the methods and terminology employed.
It’s all in the timing
35 transactions requests were sent to the Federal Reserve Bank of New York on 4 February, spoofed to be appear to be genuine requests from Bangladesh Central Bank, requesting funds be transferred from the Bangladesh Bank’s account there to various entities in the Philippines and Sri Lanka.
It was normal for a list of all secure transactions each day to be printed out on the following day and examined, had this occurred then the number and quantity would certainly have been noticed, and in time for reversals to be processed. However, on Friday 5 February, notably the first day of the Bangladeshi weekend, the printer suffered a fault and no printout was completed – apparently a not entirely uncommon occurrence, but highly unlikely to have been a coincidence on this occasion.
The next day staff at the Bangladesh Central Bank attempted to access the SWIFT system, but were faced with a notification that “A file is missing or changed”, and resolution of this issue was presumably hindered by it being the middle of the weekend. When they finally did gain access they found that after 4 spoofed transactions to accounts held with RCBC in the Philippines had been completed, the fifth, to a non-profit organisation in Sri Lanka, had been queried due to the misspelling of the word ‘Foundation’ as ‘Fandation’, resulting in the remaining 30 transactions also being held up for query. However, by this point it was the weekend in the USA and so the Federal Reserve Bank could not be contacted until Monday 8 February.
Once communication opened up between Bangladesh Bank and the Federal Reserve, the situation became a lot clearer. Several further messages were sent via SWIFT to RCBC requesting that the transactions be stopped and the funds returned, but 8 February was a holiday in the Philippines for the Chinese New Year. What has not yet been explained, although not for lack of finger pointing, is why the following morning five withdrawals were allowed from the account before RCBC responded to the SWIFT messages, by which time only $68,305 was left of the $81 million.
I believe it is outside of our remit as a Cyber Security business to speculate on the events after this point, so I shan’t comment further on the effect of the controversial exclusion of casinos from the Philippines Anti-Money Laundering Act, on the mysterious casino junkets involvement, on just where the non-profit in Sri Lanka fits into all this, nor on the possible involvement of the manager of the RCBC branch where coincidentally the CCTV was faulty, or the potential greater conspiracy involving RCBC executives and their previous questionable dealings.
One development that is very worrying, though, is the apparent kidnapping of a cybercrime expert involved in the investigation, and the lack of investigation into it.
The blame game
Initially the Bangladesh Government attempted to shift the blame, stating “the Fed must take responsibility,” and even threatening legal action. However, we have since been told unequivocally that neither the Federal Reserve Bank’s systems, nor the SWIFT systems, have been compromised in any way. Meanwhile, Bangladesh Bank officials acknowledged that there were weaknesses in their systems, and admitted it could be “two years or more” before work to resolve them was completed.
Shockwaves
Bangladesh’s central bank governor, Atiur Rahman, who resigned 2 weeks after that attack was made public, referred to it is an “earthquake”, others are calling it “a wake-up call”. One thing is for sure, the shockwaves of this event are being felt in central banks the world over. No doubt an awful lot of cyber security policies and payment handling procedures will be under the microscope in the coming weeks, and an awful lot of people will be waiting with bated breath for every new scrap of information released.