Bangladesh bank heist

The media initially attributed the hack to a couple of cheap second-hand $10 switches. However, according to further reverse engineering, this is not a snatch and grab but a full scale bank heist perpetrated by determined adversaries with resources at their disposal. Even if the bank had purchased and properly configured state-of-the-art firewalls and intrusion prevention systems, it would at most have delayed the attack by several months.

The group which attacked the bank comprised members with a myriad of skills. The most obvious would be the hacking skills to gain a foothold in the network, move laterally and pivot into the subnet hosting the SWIFT system. They needed the skills to understand assembly code to replace instructions to bypass validation. Next, they needed Fintech knowledge, understand the various SWIFT transaction codes such as "MT 900 Confirmation of Debit", the use cases and also the message flow. More importantly, they needed auditors who understand the reconciliation process and know the various checks which are conducted. These auditors would be able to advise them on how to hide these transactions both in the database and on printouts so as not to raise a red flag. They would understand terms such as "convertible currency" so as not to overdraw from the account.

Finally, the criminal element, they needed to know which banks were most lax in requirements, allowing huge withdrawals. Then comes coordinating the movement of hundreds if not thousands of money mules. The mules must evade the authorities but still remain trackable by the group. After all, they would not want the mules to disappear with the money. It is a massive administrative task to book the flights, account for time zone differences, various bank opening hours, movement plans and so on. I would not be surprised if the group had admin staff to track expenses, working hours, and paid out salaries on a regular basis.

The SWIFT system cannot be fully standalone. An $81 million transfer must have been triggered by a request made by a customer that is tracked in another system. The reconciliation process thus maps these transactions to ensure that each and every one is accounted for, thus the necessity in hiding the SWIFT transactions. If there was a firewall in place, the attackers would then have to work with the auditors to identify this system and use it to pivot into the SWIFT subnet. Given their skill set, I am pretty sure that it is achievable.

This was not done by some kid in a basement who chanced upon an unsecured system. There was an entire group behind which methodically chipped away the layers of security to finally expose the core. The person responsible for the spelling error was probably killed for his $800 million mistake. The expenses are not negligible either, considering the cost of hundreds if not thousands of round trip flights and accommodation for the mules. After paying off the expenses and drawing up a P&L, the operation probably still turned a profit, albeit a much smaller one than intended.