What unites this curious cast of characters and enabled one of the most brazen digital-bank heists ever is a ubiquitous and highly trusted international bank-messaging system: Swift.
Tens of millions of dollars siphoned from the Federal Reserve Bank of New York. A shadowy set of casinos in the Philippines. A large bank in Bangladesh with creaky technology. An unknown — and perhaps uncatchable — group of anonymous thieves with sophisticated hacking skills.
What unites this curious cast of characters and enabled one of the most brazen digital bank heists ever is a ubiquitous and highly trusted international bank-messaging system: Swift.
Swift — the Society for Worldwide Interbank Financial Telecommunication — is billed as a supersecure system that banks use to authorize payments from one account to another. “The Rolls-Royce of payments networks,” one financial analyst said.
But last week, for the first time since hackers captured $81 million from Bangladesh’s central bank in February, Swift acknowledged that the thieves have tried to carry out similar heists at other banks on its network by sneaking into the beating heart of the global-banking system.
Most Read Nation & World Stories
- Mueller reveals Trump's attempts to choke off Russia probe VIEW
- 3 climbers presumed dead after Banff avalanche
- Here's the redacted Mueller report and what you need to know about it
- Key takeaways from Robert Mueller's Russia report VIEW
- Democrats subpoena Mueller report amid calls for impeachment
“There are many banks out there right now saying, ‘There but for the grace of God go us,’ ” said Gareth Lodge, a payments analyst at Celent, a financial-consulting firm.
The admission that the attack was not a one-time event in a developing country but perhaps part of a broader threat has thrust Swift into a spotlight, raising questions about how securely money is being moved around the world. Some financial-security experts point out the Swift system is only as safe as its weakest link.
The attack also reflects a growing sophistication among digital criminals, who for years have been breaching personal bank accounts and stealing credit-card credentials. The thieves in Bangladesh may have spent months lurking inside the central bank’s computers, studying how to steal the necessary credentials to gain access to Swift.
It is the digital version of the heist depicted in the movie “Ocean’s Eleven,” said Adrian Nish, head of the cyberthreat-intelligence team at BAE Systems, a defense and security company.
“The trend is moving from opportunistic crime to Hollywood-scale attacks,” said Nish, whose firm has analyzed the malware believed to have been used in the Bangladesh breach.
In the United States, most banks take special precautions with their Swift computers, building multiple firewalls to isolate the system from the bank’s other networks and keeping the machines physically isolated in a separate locked room.
But elsewhere, some banks take far fewer precautions. And security experts who have analyzed the Swift breach said they had concluded the Bangladesh bank may have been particularly vulnerable to an attack.
“Swift is a great organization,” said Chris Larsen, founder of Ripple, a financial-technology company that aims to speed up global-money transmissions. “But the system is fractured and antiquated. The way it is set up, you cannot totally isolate problems in a place like Bangladesh from the whole network.”
Finding weak spot
In some ways, Swift is a testament to how technology has helped all countries — including poorer ones — gain access to the financial system. But broader access has a downside.
The central bank in Bangladesh, by some accounts, employed fewer protections against cyberattacks than many other large banks. The bank, for example, used $10 routers and no firewalls, according to news reports.
The server software that the Bangladesh bank employed was a Swift product, Alliance Access, which connects banks to the central messaging system. In a sign of how seriously Swift regards the breach of Alliance Access, the group issued a “mandatory software update” last week to help members identify possible irregularities.
“These hackers figured out this was a weak point on the periphery, and they went for it,” said Jeffrey Kutler, editor-in-chief at the Global Association of Risk Professionals, a trade group. “But they were not able to compromise the core.”
Swift’s core is built on technology that has been evolving for decades. What began in 1973 as a relatively small network of 240 banks in Europe and North America is now a sprawling network of 11,000 users that includes banks and large corporations.
At first, Swift could be used to authorize payments across national borders. But it is now also used to transmit messages related to domestic payments, securities settlements and other transactions.
Swift’s growth in recent years reflects the increasingly global and interconnected nature of finance. But it also shows the risk of so many financial instructions running through a single system made up of a patchwork of banks and companies with varying levels of online protection.
Each bank on the Swift network is identified by a set of codes. And it was the codes assigned to the Bank of Bangladesh that were recognized — correctly — by the Federal Reserve Bank of New York when it transferred $81 million of the Bangladesh bank’s money to the Philippines, not knowing that someone, somewhere, had stolen the credentials of the Bangladesh bank and installed malware to cover his or her tracks.
Initially, the thieves requested the transfer of $951 million into a handful of bank accounts in Sri Lanka and the Philippines, a number that prompted the New York Fed to ask the Bangladesh bank to reconfirm that it indeed wanted to move the money.
In the end, the Fed processed only five of the 35 fraudulent payment requests, after it could not reconfirm with officials in Bangladesh.
The hackers seemed to time the attack perfectly: When officials from the Fed tried to contact Bangladesh, it was a weekend there and no one was working. By the time central bankers in Bangladesh discovered the fraud, it was the weekend in New York and the Fed offices were closed.
To conceal the crime, the malware disabled a printer in the Bangladesh bank to prevent officials from reviewing a log of the fraudulent transfers.
The money was transferred to accounts in the Philippines and then into the Philippine casino system, which is exempt from many of the country’s anti-money-laundering requirements.
The New York Fed has been criticized for letting the $81 million slip out. Rep. Carolyn Maloney, D-N.Y. and member of the Financial Services Committee, has called for an investigation, warning that the breach “threatens to undermine the confidence that foreign central banks have in the Federal Reserve, and in the safety and soundness of international monetary transactions.”
The New York Fed said in a statement that “there is no evidence that any Fed systems were compromised” and that the transfer of the money had been “fully authenticated” by Swift.
Swift also issued a statement about the attacks. But its executives declined to speak on the record about the episodes, which are still under investigation. The group’s chairman, Yawar Shah, who is a senior executive at Citigroup, also declined to comment.
In its statement, Swift emphasized that the hackers had been able to breach only some of the banks that communicate over Swift, not the network itself.