Bangladesh bank investigators reportedly find three separate network intruders

The investigation into the bank heist that cost Bangladesh's central bank $81 million has taken a byzantine turn, as a new report surfaced of multiple hacking groups infiltrating the bank's network.
The investigation into the bank heist that cost Bangladesh's central bank $81 million has taken a byzantine turn, as a new report surfaced of multiple hacking groups infiltrating the bank's network.

The investigation into the online heist that cost Bangladesh's central bank $81 million has taken a byzantine turn, as a new report surfaced of multiple hacking groups infiltrating the bank's network.

A Bloomberg article citing two anonymous sources with knowledge of the cybertheft case, stated that FireEye, the security company spearheading the investigation, found the digital fingerprints of three distinct hacking groups inside the bank's infiltrated IT network.

"With the bank's surprisingly lax security, I'm not really surprised investigators found multiple hackers within their network," WatchGuard Technologies CTO Corey Nachreiner told SCMagazine.com. "Reports suggest the bank didn't even use a basic firewall. They are lucky there were only three hacking groups in their network."

Two of the identified groups are reportedly based in Pakistan and North Korea, respectively, while the third could be another nation-state or a cybercriminal outfit. The presence of not one but three external intruders initially made it very difficult for investigators to determine which one of the trio actually introduced the malware that obfuscated the attack. But now researchers are convinced that it's the unidentified group that pulled off the operation, while the other two parties were in the network for other, unknown reasons, the report continued.

The malware, which included a pair of tools dubbed Nestegg and Dyepack, helped the attackers use fraudulently obtained credentials to silently execute financial transactions via the SWIFT switch inter-bank messaging system, a network that banks around the world use to secure financial communications. In this case, the hackers transferred funds from the bank's U.S. Federal Reserve account to unauthorized accounts in the Philippines and Sri Lanka.

SCMagazine.com reached out to FireEye for additional details on the developing investigation.

Earlier this week, Reuters reported that the victimized Bangladeshi bank was placing blame for the attack on SWIFT, accusing its IT department of improperly implementing new software on the bank's network, thus creating a vulnerability. Since then, SWIFT categorically denied those charges in a statement on its website: "SWIFT rejects the false, inaccurate and misleading allegations made by Bangladesh Bank and Bangladesh Police's Criminal Investigation Department (CID) officials to Reuters. The accusations have no basis in fact," the statement read, adding, "Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network..."

As the investigation proceeds, the global banking industry is bracing for the possibility that the Bangladesh bandits may pull off additional malware attacks. "In the next attack, most or all of the local, host-based IOCs (indicators of compromise) are likely to change in an attempt to evade anti-virus and other host-based security controls," security firm Damballa reported in a recent blog post. Moreover, sophisticated hackers may try to stymie investigators by rerouting attacks through multiple proxy servers and planting false flags that seemingly point the finger at innocent parties, added Nachreiner.

"I suspect the investigators are focusing on Tools, Techniques, and Procedures (TTPs). The more intrusions that a forensic team investigates, the more they see differences among the techniques and procedures certain groups use," said Nachreiner. "This is probably what is allowing FireEye to compare some of the things they've found to other intrusions where they saw similar techniques and procedures. In short, when you combine TTPs together, they make a decent fingerprint that can identify a particular adversary."
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS