Bangladesh hack exploited flaw in common banking software

Bangladesh hack exploited flaw in common banking software
© Getty Images

The hackers who stole $81 million from Bangladesh’s central bank likely exploited a flaw in software that is a staple in the global financial system, security researchers told Reuters.


The software comes from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a collective owned by over 3,000 financial institutions. The company is aware of a certain kind of malware targeting its client software, according to a representative, and is set to issue an update on Monday.

“The malware has no impact on SWIFT’s network or core messaging services,” the representative told Reuters.

British defense contractor BAE Systems said it believes the Bangladesh Bank attackers used the malware to target a SWIFT client software known as Alliance Access.

The thieves used the malware to hide evidence and delay discovery of the attack — including erasing records of illicit transfers — according to BAE.

Neither SWIFT nor the Bangladesh Bank has commented on the BAE report. A senior Bangladesh police officer said forensics investigators had not found the specific malware described by BAE, but that they had not yet finished the probe.

In February, unknown hackers stole $81 million from the Bangladesh account at the Federal Reserve Bank in New York in what is considered the largest cyber heist in history.

The incident prompted the resignation of Atiur Rahman, the governor of the central bank, and has the bank considering a lawsuit against the New York Fed.

The malware discovered by BAE was likely part of a larger attack toolkit the hackers employed after they obtained administrator credentials to the SWIFT system, the researchers said.

The program allowed the attackers to modify a database used to log bank activity, causing the system to delete records of outgoing transfers, among other things.

Although the malware was tailored to attack Bangladesh Bank, BAE will warn today that "the general tools, techniques and procedures used in the attack may allow the gang to strike again," according to a draft warning shared with Reuters.

Adrian Nish, head of threat intelligence at BAE, said the scheme was incredibly elaborate.

"I can't think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in," Nish said. "I guess it was the realization that the potential payoff made that effort worthwhile."