It was the start of a weekend in Bangladesh when an official at the country's central bank checked a printer in a server room. The tray was empty, which was strange. There should have been a sheaf of reports confirming payment instructions sent through the Swift system, the network that connects 11,000 banks around the world.
The printer glitch was no accident, but a deliberate strategy by criminals to hide their tracks. A day earlier, cyberthieves had issued instructions to transfer $951-million (U.S.) out of Bangladesh Bank's account at the New York Federal Reserve. Most were declined, but $81-million was transferred to a bank in the Philippines, never to be seen again.
The theft in early February sent shock waves through the global banking community. It was not simply enormous in size, but ambitious in its selection of target: the Swift system, the backbone of international finance.
The methods deployed were highly sophisticated, involving a combination of technical prowess and intimate knowledge of how Bangladesh Bank interfaced with Swift.
Gottfried Leibbrandt, chief executive of Belgium-based Swift, called the Bangladesh cyberattack "a watershed" for the banking industry. "There will be a before and an after Bangladesh," he said last month. What's more, it wasn't an isolated incident: Swift was aware of at least two other cases where cyberthieves used the same modus operandi, albeit with far less success.
Four months after the theft, much remains unknown about the perpetrators and their methods. It's not clear, for instance, how the malicious code was implanted into the systems at Bangladesh Bank. And both private firms and law-enforcement authorities are conducting investigations to uncover the culprits. Some signs point to a gang of expert cybercriminals; others point to the possible involvement of a state actor.
The theft shows that cybercriminals are growing increasingly audacious. "There's a willingness to engage in careful study of the operation of a business or a system, and devote substantial resources to carrying out a much more large-scale attack," said Luke Dembosky, a partner at Debevoise & Plimpton who previously directed investigations into cyberattacks as a senior official at the U.S. Department of Justice.
In the Bangladesh incident, the perpetrators began laying the groundwork a year before the attack. They opened accounts at Rizal Commercial Banking Corp. in the Philippines, seeding them with a token amount and letting them lie dormant until this February, according to media reports.
Two incidents foreshadowed the attack to come. In late 2015, Vietnam's Tien Phong Bank intercepted an attempt to use fraudulent messages to initiate transfers via Swift – the same method later employed in the Bangladesh Bank case.
Then, in January, Ecuador's Banco del Austro SA sent messages over the Swift system instructing Wells Fargo & Co. to transfer $12-million, according to Reuters. The banks now believe the transfers were the work of cybercriminals.
The next month, the hackers struck at Bangladesh Bank. They targeted a customized software program that acts as a liaison between a bank's systems and the central Swift infrastructure. The tool was "custom made for this job," wrote Sergei Shevchenko, a researcher at BAE Systems PLC, in an April note on the theft. The malware he analyzed could monitor incoming payment instructions from the Swift system and manipulate the normal process of printing confirmation notices.
The New York Fed didn't execute most of the payment instructions from hackers impersonating Bangladesh Bank. But several went through, including one for $20-million destined for Sri Lanka. But bank officials there flagged the transfer as suspicious and the funds were returned to Bangladesh's central bank. The $81-million sent to accounts in the Philippines, however, was withdrawn, except for about $60,000.
In May, researchers at Symantec Corp. published an analysis of the attack and said they had discovered distinct elements of code familiar to them from another notorious incident: the infiltration of the systems at Sony Pictures Entertainment Inc. which was revealed in 2014, a breach that the U.S. Federal Bureau of Investigation connected to North Korea.
While North Korea has been linked to hacking incidents, it isn't known to have deployed such methods in order to steal money. Mr. Dembosky, the former Justice Department official, said that if North Korea was involved in the heist from Bangladesh Bank, it would come as a surprise. "It would be quite a leap into the cybertheft game," he said. Instead, he suspected the involvement of what he called the "top of the food chain" in cybercrime: primarily Russian-led groups which draw participants from Europe and Asia.
Swift – which stands for the Society for Worldwide Interbank Financial Telecommunication – has emphasized that none of its core systems were infiltrated by the hackers. But it urged users to safeguard the access points to Swift on their own premises. To some extent, Swift is "at the mercy of the people connecting to their system," said Steve Durbin, managing director of the Information Security Forum. "They're only as strong as the weakest link."