Bangladesh Bank Ends FireEye Investigation Into Heist

Anti-Malware , Fraud , Technology

Meanwhile, Ukrainian Bank Reports $10 Million Theft via SWIFT Bangladesh Bank Ends FireEye Investigation Into HeistLogo of central bank of Bangladesh

Note: This story has been updated with comment from ISACA International

See Also: Protecting Your Assets Across Applications, Services and Tiers

The central bank of Bangladesh has opted to not extend a contract with the incident response team that it hired to investigate the theft of $81 million in February. Meanwhile, an unnamed bank in the Ukrainian capital of Kiev reportedly suffered a $10 million heist after attackers transferred funds via fraudulent SWIFT messages, as was the case in the Bangladesh heist.

The attack against Bangladesh Bank, which targeted its account at the Federal Reserve Bank of New York, involved sending fraudulent messages via the SWIFT interbank messaging system, backed by custom-built malware that infected the bank's systems and hid evidence of the attacks. SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, is a Brussels-based cooperative owned by 3,000 banks that maintains a messaging system used by 11,000 banks.

Last week, the Bangladesh Bank board met and ratified an earlier decision to not extend the contract it had signed with FireEye's Mandiant division, which had requested 570 hours of additional work to complete its investigation into the heist, Reuters reports.

"It was a unanimous decision," a director of Bangladesh Bank, Jamaluddin Ahmed, tells Reuters. The news service reports that Mandiant had been paid $280,000 for about 700 hours of work and that the high price tag associated with its services was a big factor in the bank opting to not renew the contract. Ahmed reportedly said that the bank is continuing to improve its information security program and defenses and may bring in outside cybersecurity experts again to help (see Bangladesh Eyes Insider Angle for SWIFT Bank Attack).

A Bangladesh Bank spokesman didn't immediately respond to a request for comment on that report. But spokesmen for both the bank as well as the Federal Reserve have previously said that they're continuing to probe the attack and attempt to identify the perpetrators (see Federal Reserve Watchdog Probes Banks' Cybersecurity).

A FireEye spokesman tells Information Security Media Group that the company has provided extensive information relating to the attack to Bangladesh Bank as well as other financial institutions. "We have uncovered and provided Bangladesh Bank and the global financial community extensive data about this unprecedented financial attack and how to prepare for the future and will continue to support law enforcement and the industry past the close of our engagement," he says. "It is important to note that the pricing and duration of our investigative work is unique to every incident."

Ukrainian Bank Heist Nets $10 Million

Meanwhile, investigators in Kiev say that a Ukrainian bank, which they have declined to name, lost $10 million after hackers infiltrated the bank's network and transferred the money via SWIFT, the Kiev Post reports.

The newspaper reports that the heist is being investigated by the Kiev chapter of the Information Systems Audit and Control Association, and that it's very likely that the attackers have employed similar tactics to steal money from other Ukrainian banks, according to Aleksey Yankovsky, head of ISACA's Kiev chapter.

"Banks now are not sharing such information at all and are afraid of publicity," Yankovsky tells the Kiev Post.

But ISACA International dismissed any suggestion that ISACA was involved in the investigation, saying that some ISACA members who are security consultants were hired, but "through their own organizations."

@BrianHonan @euroinfosec ISACA isn't involved. Consultants were hired through their own organizations. Some are members of the Kyiv Chapter.

A statement provided by incident responders to the Kiev Post notes that the heist may be part of a much larger series of attacks - although it has released no additional information to back up that assertion. And it says attackers likely conducted months' worth of reconnaissance before attempting to submit fraudulent SWIFT messages and route bank funds to attacker-controlled offshore accounts.

"At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars," the statement says.

Heist Follows Malware-Enabled SWIFT Fraud

A series of recent bank heists or attempted heists - affecting not just Bangladesh Bank, but also Vietnam's TPBank and Banco del Austro in Ecuador - used malware, disguised as a PDF reader, to help hide attackers' fraudulent SWIFT transfers (see 5 SWIFT Cyber Heist Investigations).

But it's not yet clear if the Ukrainian bank heist involved the same malware or was the work of the same hackers that attacked Bangladesh Bank.

Threat-intelligence firm iSight Partners, which is a FireEye division, notes that the Ukraine hack attacks may be the work of a different cybercrime gang that used malware to steal an estimated $25.5 million from Russian bank accounts. The gang was recently disrupted by Russia's Federal Security Service, although when it comes to the attacks ascribed to that gang, and the $10 million Ukrainian bank heist, "we have not yet definitely established the incidents are the same," iSight Partners says (see Russian Police Bust Alleged Bank Malware Gang).

In the Russian and Ukrainian bank hacks disrupted by Russia's FSB, which came to light earlier this month, the gang allegedly compromised not just Russian banks but also Ukrainian ones "via spear-phishing, used multiple tools to move laterally within their networks, and performed fraudulent SWIFT transactions," iSight Partners says. "We believe the attackers are distinct from those responsible for the bank compromise cases in Bangladesh and Vietnam."

SWIFT Launches Security Program

As more hack attacks and cases involving fraudulent SWIFT messages have come to light, SWIFT has responded by promising to offer more education to users and to facilitate better sharing of attack-related information (see SWIFT to Banks: Get Your Security Act Together).

The board of SWIFT met on June 9 and approved the new five-point customer security program and promised to begin funding it and "to actively oversee the program and assess incremental financial needs this year and next," according to a statement issued by SWIFT (see SWIFT Promises Security Overhaul, Fraud Detection).

"The industry's security is a top priority for the cooperative," said Yawar Shah, chairman of the SWIFT board as well as chief operating officer of customer intelligence for Citibank, in a statement. "We will work closely with regulators and customers to ensure this program's success and the industry's take up of the necessary security measures. A dedicated management team has been put in place under the CEO to manage the program and actively consult and engage with the community to further define and execute the five initiatives. The board has earmarked funds for the program and will ensure it receives the right focus and investment as it moves forward."