The hackers who broke into a global bank-messaging system and stole $81 million from the central bank of Bangladesh in February may also be connected to the email hacks on Sony in 2014, and a previously undisclosed theft from a bank in Vietnam, Reuters reported Friday.
The messaging system, SWIFT, is used by 11,000 financial institutions across the world to request and approve money transfers. In the Bangladesh heist, investigators said hackers may have coaxed someone working with the bank to give up credentials, and that thieves exploited the SWIFT system to request money from the Federal Reserve Bank of New York that was then routed to a bank in the Philippines, then transferred to local casinos and stolen.
The theft from the Vietnamese bank had previously been unreported, and investigators told Reuters they believed it was connected with the Bangladesh heist––and the attack on Sony––because malware the hackers used operated in a similar fashion. And while security experts are still learning about how it all happened, Reuters reported that hackers have been monitoring the investigation the whole time:
In Bangladesh, cyber-security experts hired by the central bank said in a report that hackers were still inside the bank's network, monitoring the investigation into one of the biggest cyber heists in the world. Reuters reviewed parts of the report, but the source who shared the document declined to provide access to its full contents, saying the release of some details could hamper a multinational effort to catch the criminals.
Asked about the report, a Bangladesh Bank spokesman said: "We have engaged forensic experts to investigate the whole thing, including this." He did not elaborate.
There are likely three hacking groups inside the SWIFT messaging system, Reuters reported: One is called Group Zero, one is Group Two, and the last is a nation-state actor that steals information, but not money. SWIFT, which is partly owned and run by the world’s largest banks, has been used since the 1970s. The system prides itself on security.
In a statement Friday, SWIFT said the hackers had obtained valid credentials from someone with clearance to use the system, then submitted fraudulent money requests. In both bank thefts, Bangladesh and Vietnam, SWIFT said its main system hadn’t been breached, but that hackers exploited the connection each bank maintains to link it to the global network. To clients, SWIFT explained the security breach like this:
In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.
The Bangladesh heist was at first thought to be an isolated operation of hackers exploiting a developing country’s security, but this development would mean that attacks are much more widespread, and many institutions are much more vulnerable than previously thought.