Report: New York Fed Fumbled Cyber-Heist Response'Total Fluke' Prevented Full $951 Million Theft From Bangladesh Bank
"Inertia and clumsiness" at the Federal Reserve Bank of New York nearly led to one of the biggest cyber-heists in history being even worse.
So says a new investigative report from Reuters that traces the theft of $81 million from the central bank of Bangladesh in February in what was one of the most audacious - and successful - cyber-heists ever. Bangladesh police, as well as the U.S. Department of Justice and the FBI, are continuing to investigate the heist.
Attackers used fraudulent SWIFT inter-bank messages to request the transfer of $951 million from Bangladesh Bank's account at the Federal Reserve Bank of New York, of which $101 million was transferred and $81 million ultimately distributed to accounts in the Philippines and Sri Lanka.
But the Reuters report - based on interviews with current and former officials at banks, investigators and lawyers across multiple countries, and which involved a review of payment messages sent via SWIFT, as well as emails and documents - finds that there was "disarray and bungling at all the financial institutions involved."
The report is most scathing, however, when it comes to the New York Fed, which is the most powerful of the U.S. central bank's 12 regional units, handling about $800 billion in transfers per day. Indeed, despite hackers submitting unusual SWIFT money-moving requests - they requested money be transferred to individuals, the messages were at first incorrectly formatted, and overall they looked different than the bank's typical requests - the bank fulfilled $101 million of the fraudulent requests (see Fraudulent SWIFT Transfers: Congress Queries New York Fed).
Furthermore, it was a "total fluke" that the New York Fed didn't transfer the entire $951 million that had been requested, an unnamed person with knowledge of the investigation tells Reuters. That's because attackers reportedly requested that some of the funds be transferred to a Philippines bank that had the name "Jupiter" in its address, which tripped internal alarms at the New York Fed, because Jupiter is also the name of an oil tanker and shipping company that appears on a U.S. government sanctions list against Iran, which prohibits U.S. firms from doing business with designated organizations or individuals.
As a result, Reuters reports, the bank ultimately did review some of the transactions more closely - finding no link to the oil shipping company - although it moved relatively slowly, meaning that by the time it discovered other irregularities, it had already fulfilled five of 35 transfer requests and had moved $101 million out of Bangladesh Bank's account.
After the bank discovered the fraud, it and Bangladesh Bank were able to freeze and recover about $20 million of the transferred funds. But much of the outstanding $81 million that was transferred to individuals in the Philippines - and reportedly laundered via the country's casinos - still remains missing.
No Real-Time Fraud Controls
The theft revealed that the Federal Reserve's Central Bank and International Account Services unit, or CBIAS - the equivalent to a "bank within a bank," according to a former employee - wasn't using real-time controls for spotting fraud, although such systems are in use at other institutions, Reuters reports. Instead, the unit manually reviewed some transactions after they had been fulfilled, largely to comply with U.S. sanctions, it says.
The theft has damaged the Fed's reputation, especially with central banks of smaller countries who trusted the management and security of their funds to large, well-resourced banks in Western countries, such as the United States, according to Reuters.
The report is also sure to rekindle Bangladesh Bank's simmering dispute with the New York Fed and SWIFT. Indeed, Bangladesh Bank says responsibility for the attacks should be shared by both the Fed and the Brussels-based, bank-owned cooperative SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, which maintains a messaging systems designed to guarantee that money-moving messages between banks are authentic.
Both the New York Fed and SWIFT have denied having any responsibility for the attacks or related fraud. Following weeks of acrimony and finger-pointing, representatives from all three organizations met in May and issued a joint statement pledging greater cooperation.
Officials from Bangladesh Bank and the New York Fed were due to meet last week in New York to discuss efforts to recover the missing $81 million, but that meeting was postponed and no explanation given for the delay. "We are in talks with the Fed and hoping that the meeting will take place anytime at the end of this month or next month," a senior Bangladesh Bank official, speaking on condition of anonymity, told Reuters.
An unnamed Fed official told Reuters that the purpose of the meeting would be to "understand what happened, what remediation steps have been taken by Bangladesh Bank to meet its contractual obligations, and to begin a path to normalize operations."
Bangladesh to Seek Compensation
According to the new Reuters report, however, Bangladesh Bank is now preparing a lawsuit that seeks compensation relating to the missing funds, based in part on alleged errors by both the Fed as well as SWIFT, which left the bank vulnerable to hackers.
Officials from the Fed and SWIFT couldn't be immediately reached for comment on the report. But both organizations have previously denied any wrongdoing or culpability relating to the fraud.
"It is important to note that the recent incident with the Bangladesh Bank was not caused by a breach or compromise of the New York Fed's systems," the New York Fed said last month in a statement.
In the wake of the heist, SWIFT also issued a warning that the malware used against Bangladesh Bank was part of a coordinated campaign against banks, followed by the launch of a customer security program that's designed to help SWIFT-using organizations spot when they've been hacked and to share related intelligence with other SWIFT users.
In criticism leveled squarely against Bangladesh Bank - based on details shared by investigators - SWIFT also noted that it's banks' responsibility to get their information security defenses in order. In a May letter to all 11,000 SWIFT customers, the organization noted that "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks" (see SWIFT to Banks: Get Your Security Act Together).
Malware Slowed Response
Based on a report seen by Reuters that was generated by incident response firm FireEye - which Bangladesh Bank hired to investigate the heist - whoever stole the bank's funds first obtained the computer access credentials for one of the bank's SWIFT operators, then installed six different types of malware. The attackers reportedly began probing the bank's systems in January, before launching their attack late on Thursday, Feb. 4, apparently timed to coincide with the weekend in Bangladesh, which began the next day (see Bangladesh Bank Ends FireEye Investigation Into Heist).
After the New York Fed's CBIAS team began noticing suspicious transactions, they queried Bangladesh Bank via SWIFT, Reuters reports, but the malware installed on the bank system that connected to SWIFT had disabled the printer, suppressing the messages, and the Fed didn't attempt to contact Bangladesh Bank using any other channels. Meanwhile, it reports, Bangladesh Bank officials on Saturday, Feb. 6, searched and failed to find a manned weekend phone line at the Fed, and also attempted to contact the Fed via email, sending a message that read: "Our system has been hacked. Please stop all payment (debit) instructions immediately." But the New York Fed reportedly apparently didn't receive the message until the start of its workday on Monday morning, and it didn't inform Bangladesh Bank that it had alerted correspondent banks to the fraud until Monday evening, New York time.
Last month, the New York Fed said that it "has and is taking immediate steps to help strengthen the safety of global payments in light of the potential vulnerabilities that have been exposed in the payments chain," but it declined to specify what those measures entail. A source with knowledge of the investigation tells Reuters that the bank has set up a 24-hour emergency telephone hotline for 250 accountholders, most of which are central banks.