(Adds comments from cyber security experts, comment from SWIFT)
By Serajul Quadir
DHAKA, March 11 Investigators suspect unknown
hackers installed malware in the Bangladesh central bank's
computer systems and watched, probably for weeks, for how to go
about withdrawing money from its U.S. account, two bank
officials briefed on the matter said on Friday.
More than a month after hackers breached Bangladesh Bank's
systems and attempted to steal nearly $1 billion from its
account at the Federal Reserve Bank of New York, cyber security
experts are trying to find out how the hackers got in.
FireEye Inc's Mandiant forensics division is
helping investigate the cyber heist, which netted hackers more
than $80 million before it was uncovered.
The hackers appeared to have stolen Bangladesh Bank's
credentials for the SWIFT messaging system, which banks around
the world use for secure financial communication.
In a statement Friday, Belgium-based SWIFT said: "SWIFT and
the Central Bank of Bangladesh are working together to resolve
an internal operational issue at the central bank. SWIFT's core
messaging services were not impacted by the issue and continued
to work as normal."
Banks and other businesses are eager to learn more about how
the central bank was compromised so they can review their own
networks for signs that they are vulnerable to similar attacks
or might already have been breached, security professionals and
bank executives told Reuters.
The incident could prompt central banks worldwide to beef up
security and regulate financial institutions more tightly to
prevent similar attacks, said Aviv Raff, chief technology
officer with the cyber security firm Seculert.
"If banks are not better regulated this will for sure happen
again," said Raff.
Investigators suspect that malicious software code, often
referred to as malware, which allowed hackers to learn how to
withdraw the money could have been installed several weeks
before the incident, which took place between Feb. 4 and Feb. 5,
said Bangladesh Bank officials briefed on the matter.
Investigators believe the attack was sophisticated,
describing the use of a "zero day" and referring to an "advanced
persistent threat," the officials said.
A zero day is a vulnerability in software that has yet to be
identified or patched. This makes it easier for hackers to
infect a targeted computer without the victim's knowledge, even
if it is protected with security software.
Advanced persistent threat refers to long-term attacks where
hackers remain inside a network for months or even years.
Security experts said they hope samples of the malware will
be made available to researchers so they can determine whether
they are truly advanced, or if Bangladesh Bank's security
protections were not strong enough to block the attack.
"The next piece of the puzzle that will likely emerge is a
sample of the malware and/or if a true zero-day vulnerability
was used," said Jeff Wichman, a consultant with cyber security
firm Optiv.
The Bangladesh Bank officials acknowledged weaknesses in
their systems and said it could take two years or more to repair
the problems.
Wichman said he suspects one of the tools was a customised
version of a common piece of malware known as a Remote Access
Trojan, or RAT, which gives attackers the ability to gain remote
control of a victim's computer.
So far investigators have not found any proof that central
bank staff in Bangladesh were involved, one of the officials
said, but said the probe was continuing.
Security experts say that if insiders were not involved, the
attackers likely had assistance from somebody close to the
banking industry. They also may have spied on bank workers over
an extended period to gain details about wire-transfer processes
and other operations, they said.
"It takes somebody with deep knowledge of the banking
industry to perform these types of crime," said Shane Shook, a
security consultant who has investigated some of the biggest
cyber breaches on record.
The New York Fed, which provides banking services to some
250 central banks and other institutions, has said its systems
were not compromised.
The Bangladesh central bank had billions of dollars in its
current account, which it used for international settlements,
officials have said.
The stolen money made its way to various parts of the world.
Some $80 million are believed to have ended in the
Philippines, and further diverted to casinos and then to Hong
Kong, according to bank officials.
One $20 million transaction was directed to a non-profit
organization in Sri Lanka.
But the unusually large transaction for the island nation
and a misspelling of the NGO's name raised red flags that helped
bring the robbery to light. The transaction was blocked as was
another huge payment instruction that was for between $850
million and $870 million.
(Writing by Paritosh Bansal. Additional reporting by Jim Finkle
in Boston; Editing by Jeremy Wagstaff, Raju Gopalakrishnan,
Jonathan Weber and Chizu Nomiyama)