The 2016 Bangladesh Bank Heist stands out as a significant digital theft where hackers exploited the SWIFT financial messaging system to orchestrate a massive theft from Bangladesh Bank’s account at the Federal Reserve Bank of New York.
Attack Summary
Intrusion Method: The attackers, possibly with insider assistance, used Dridex malware to infiltrate the Bangladesh Bank's systems. This allowed them to monitor internal processes, especially around international transactions and payment operations.
Reconnaissance and Preparation: To gather intelligence, they installed Sysmon on systems connected to the SWIFT network, which helped them map out SWIFT’s operational patterns and employee interactions with SWIFT software.
Fraudulent Transactions: Using manipulated PRT files and Printer Command Language, the attackers initiated 35 fraudulent SWIFT messages, attempting to transfer $951 million. Thirty transactions were flagged and blocked by the New York Fed, but five transactions were processed, leading to a $101 million loss for Bangladesh Bank:
$20 million transferred to Sri Lanka (recovered due to a typographical error).
$81 million routed to the Philippines, where $18 million was later recovered.
Final Losses: After partial recovery, Bangladesh Bank faced a $63 million loss. Much of this was swiftly laundered through casinos in the Philippines.
Understanding SWIFT's Role in International Transactions
The SWIFT network facilitates secure financial messaging between banks globally. To grasp the heist's complexity, understanding the VOSTRO/NOSTRO account setup is essential. Here's a simplified example to illustrate how SWIFT functions in an international transfer scenario:
Initiation: The buyer's bank (Bangladesh Bank) receives a request to transfer a large amount, e.g., $10 million.
Intermediary Use: Due to high international transfer amounts and limited access to foreign markets, the transaction involves an intermediary bank.
NOSTRO and VOSTRO are accounting terms used in this setup, where Bangladesh Bank maintains a VOSTRO account with the NY Fed.
Transaction Flow: Bangladesh Bank instructs the NY Fed to debit its VOSTRO account and transfer the amount to the seller’s bank.
Transaction Completion: The NY Fed deducts the amount from the VOSTRO account and completes the transfer to the recipient bank.
Bangladesh Bank’s SWIFT Technical Architecture
The bank’s SWIFT setup involved four main components, interconnected via a VPN:
Core Bank IT Systems: Handle regular banking transactions.
SWIFT Messaging Bridge: Generates SWIFT messages for transactions.
SWIFT Gateway: Ensures secure connectivity between banks via SWIFT protocols.
Confirmation Printer: Provides a physical record of transaction confirmations for verification.
Attack Execution on SWIFT Systems
Malware Deployment: Attackers installed malware on servers running SWIFT Alliance software, responsible for SWIFT message handling and validation.
DLL Manipulation: The malware checked active Windows processes for liboradb.dll, a crucial SWIFT component, and patched it in memory to bypass transaction validations by altering the code (JNZ instruction).
Message Injection: With the patched DLL, attackers could inject unauthorized SWIFT messages into the network without triggering file integrity or signature checks, making the fake transactions appear legitimate.
The Bangladesh Bank Heist: The Intrusion
During the attack, the adversaries compromised systems running the SWIFT messaging bridge software, allowing them to inject fraudulent SWIFT messages. Notably, the bank’s internal IT systems were unaware of this intrusion, as the fraudulent transactions were directly injected into the SWIFT network.
The Bangladesh Bank Heist: Zooming in on the Malware
The malware specifically targeted the Bangladesh Bank’s servers running the SWIFT Alliance software, which manages SWIFT message transactions. The software performs complex validation checks, which the malware altered to bypass these checks.
When executed on the server, the malware scanned all running processes and modules on the Windows OS, searching for the liboradb.dll file. This DLL, a part of the SWIFT Alliance software, handles:
Reading the Alliance database path from the registry
Starting the database
Performing backup and restore functions for the database
In processes loading liboradb.dll, the malware altered the DLL in memory by replacing a specific JNZ instruction with two NOP instructions. This bypass caused SWIFT’s validation checks to always succeed, allowing counterfeit transactions to be approved. The in-memory patching allowed the attackers to avoid detection from integrity checks or digital signature validations on SWIFT’s software files. With this modification, counterfeit SWIFT messages could be injected directly into the database.
The Bangladesh Bank Heist: Zooming in on the Malware
Original Code
Manipulated Dll
To ensure this function always returns success, the jnz instruction was removed. Instead of deleting the bytes, the malware authors replaced them with NOP (No Operation) instructions, preserving code structure and bypassing the jump condition. This technique is common in machine code patching.
The Bangladesh Bank Heist: The Intrusion
The malware also intercepted SWIFT gateway confirmations, preventing them from being printed. However, when the confirmation printer malfunctioned, it failed to print any transactions, which raised suspicion. Once it was operational, the backlog—including the injected transactions—was printed. Despite this misstep, the attackers managed to process some transactions successfully due to careful planning.
The Bangladesh Bank Heist: The Fraud Flow
The attackers initially injected 35 transactions totaling $951M.
Of these, 30 transactions were blocked due to the keyword “Jupiter” in the bank address, flagged by the NY Fed due to an unrelated sanction hit.
Five transactions, totaling $101M, were processed by the NY Fed.
Four of these succeeded and were directed to three pre-established accounts at the Rizal Commercial Banking Corporation (RCBC) in the Philippines.
One transaction was blocked due to a typo ("Shalika foundation" vs. "Shalika fandation"), prompting Deutsche Bank to request verification from Bangladesh Bank.
The successful $81M transferred to RCBC was further funneled to casino accounts, where it was withdrawn and laundered.
The Bangladesh Bank Heist: Key Takeaways
The Bangladesh Bank heist serves as a critical example of vulnerabilities in financial institutions and the sophisticated tactics employed by attackers. Here are some essential insights from the incident:
Cybersecurity Posture: The Bangladesh Bank’s cybersecurity framework was alarmingly inadequate, particularly for a financial institution. Lacking network segmentation and relying on low-cost, secondhand infrastructure made it easier for attackers to infiltrate.
SWIFT Vulnerabilities: Although SWIFT is known for its secure environment, this heist revealed that its security is only as strong as its weakest link. The attack exploited the bank’s infrastructure without directly targeting SWIFT itself. This incident motivated SWIFT to launch its Customer Security Program (CSP) to enhance the security of institutions within its network.
Meticulous Planning: The heist was strategically timed, taking advantage of bank holidays and off-hours when responses would be delayed. This planning allowed the attackers to avoid immediate detection.
Extended Network Access: Attackers had been lurking within Bangladesh Bank’s network for a significant period before executing their plan. This prolonged access likely hindered the ability to identify the initial breach point, highlighting the need for improved network monitoring that could have detected the intrusion sooner.
Cyber Crime: Notable Ransomware Families
The evolution of ransomware has resulted in the emergence of numerous families, each with unique tactics and impact. Here are some significant ransomware variants:
Locky: Highly versatile, Locky can spread through exploit kits or traditional phishing emails, making it widely adaptable and popular.
Cerber: Known for its multifaceted approach, Cerber not only encrypts files but can also launch DDoS attacks against its victims.
Jigsaw: Inspired by the "Saw" movie series, Jigsaw both encrypts and exfiltrates data, increasing pressure on victims to pay the ransom.
Crysis & LeChiffre: Both leverage brute-force attacks against RDP to infiltrate systems, avoiding traditional phishing methods.
Goldeneye, Petya, & HDDCryptor: These ransomware variants don’t just encrypt files; when run with admin rights, they encrypt entire hard drives, even overwriting the Master Boot Record.
Popcorn Time: This variant introduces a “social” twist, offering victims the decryption key for free if they successfully infect others.
WannaCry (Wcry): Famous for its May 2017 attack, WannaCry exploited an SMB vulnerability (leaked by ShadowBrokers) to spread across networks, impacting several large organizations.
NotPetya: Rising to prominence in June 2017, NotPetya combined SMB exploits with credential-stealing tools like Mimikatz, followed by lateral movement techniques like PsExec/WMIC. Many believe its true aim was widespread disruption rather than ransom collection.
GandCrab: Launched in January 2018, GandCrab popularized the Ransomware-as-a-Service (RaaS) model, enabling less skilled cybercriminals to deploy ransomware. Its creators announced the end of operations on May 31, 2019.
Ryuk: Primarily targeting large organizations, Ryuk ransomware operators aim to control entire networks and coordinate a wide distribution of the malware, hoping for substantial ransom payouts.
Maze: Known for data theft, Maze often enters systems via phishing and post-compromise utility execution. Before encryption, it exfiltrates data, threatening public exposure if the victim refuses to pay.
If you want to learn about bank heist: Do check link below
Conclusion:
The Bangladesh Bank heist and the evolution of ransomware attacks provide crucial lessons for organizations, particularly in the financial and critical infrastructure sectors. The Bangladesh Bank incident highlighted how vulnerabilities in basic cybersecurity practices—such as poor network segmentation, outdated infrastructure, and lack of proactive monitoring—can expose even the most secure systems, like SWIFT, to indirect threats. This event spurred initiatives like the SWIFT Customer Security Program (CSP), underscoring that security must be holistic, addressing even the weakest links.
Akash Patel
Comments