Police Allege SWIFT Technicians Left Bangladesh Bank Vulnerable

Police in Bangladesh this week alleged that technicians associated with the financial network SWIFT introduced vulnerabilities which made it easier for hackers to infiltrate the systems of Bangladesh Bank.

Bangladeshi police this week alleged that technicians associated with the financial network SWIFT introduced vulnerabilities that made it easier for hackers to infiltrate the systems of Bangladesh Bank and carry out a massive heist.

Earlier this year hackers used stolen credentials to inject malware into the bank’s SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, network and made off with $81 million.

According to a report from Reuters on Monday, officials with the country’s law enforcement agency are blaming technicians with the network for introducing weaknesses into the network when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year.

Reuters cited a conversation with Mohammad Shah Alam, who’s heading up a probe into the heist with Bangladesh police’s criminal investigation department, and an unnamed official at Bangladesh Bank. The bank official claims the technicians made missteps and went against security protocols when they implemented the system, something which opened SWIFT messaging to anyone who had a “simple password.”

“It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done,” the bank official told Reuters.

The official told the news outlet that the technicians established a wireless connection to access computers in the locked SWIFT room from elsewhere in the bank, but neglected to disconnect remote access.

The police claim that when the technicians linked the RTGS to SWIFT, they should’ve connected it to a separate local area network but instead connected it to machines on the same network as 5,000 publicly accessible central bank computers.

The technicians also reportedly failed to disconnect a USB port they left attached to the SWIFT system, something that was left active and allowed remote access up until the attack took place, the bank official told Reuters. Furthermore, when the technicians installed a networking switch to control access to the network, “they chose to use a rudimentary old one they had found unused in the bank,” instead of a more robust switch which could’ve allowed them to better restrict access, the report claims.

Reuters previously reported that on top of misconfiguring SWIFT, the technicians neglected to implement a firewall between RTGS and the SWIFT room, something that would’ve enabled the bank to block malicious traffic.

The RTGS system is a funds transfer system which enables banks to transfer money or securities in real time, and on a gross basis. This particular system was installed at the bank in October.

In February, four months later, hackers used valid credentials to send bogus messages and complete transfers via the system, using malware to cover their tracks. Initially the attackers sought to transfer roughly $1 billion from Bangladesh Bank to the Federal Reserve Bank of New York. All but $81 million – money that was rerouted to a bank in the Philippines – has been recovered so far.

Researchers with BAE Systems published information about a toolkit the attackers built and used to carry out the attack late last month. According to the firm, the malware, Evtdiag, allowed the attackers to cover their tracks as they sent forged payment instructions to make the transfers.

According to Sergei Shevchenko, a security researcher with BAE,  any financial organizations connected to SWIFT should consider reviewing their systems to ensure they’re protected, as the malware could be adapted to attack other institutions.

SWIFT, who did not immediately return a request for comment on Monday regarding Reuters’ report, updated its software to combat the malware three weeks ago and going forward, will work with clients on catching potential attack indicators in database records.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.