What links the 2016 Bangladesh Bank heist to the Sony Pictures hack? BAE's Adrian Nish explains
BAE's head of threat intelligence made the comments at WIRED Security
In February this year, hackers broke into Bangladesh Bank and stole $951 million from the central reserve. It took six months to plan and a mere four days to execute and the attackers believed they had erased all traces that they were ever there. They were wrong.
Within months, intelligence teams, including the one at BAE Systems, had not only recovered the hackers' code to see how they planned the attack, they were able to link it to the Sony Pictures hack of 2014 and a toolset used by a North Korean criminal gang.
Comparing the bank heist to the casino one in George Clooney film Oceans Eleven, Adrian Nish, BAE's head of threat intelligence in its Applied Intelligence Division UK, detailed the preparation, the code used and how intelligence was used to help find the source at this year's inaugural WIRED Security event.
"The attackers had several stages they had to go through. Firstly, the set up. Just like in Oceans Eleven, there was a lot of planning put in place to get the right team members," Nish explained.
"This started in May 2015; almost six months before, when the attackers set up bank accounts in Manilla, Philippines and Sri Lanka. They then broke into the bank's network and waited for the perfect moment to strike."
This strike came on Thursday, February 4 2016. In Bangladesh, Thursday is the end of the working week so attackers waited until the last possible moment to launch. The following Monday was also Chinese New Year, so banks in the Philippines would be closed.
This gave the criminals a four-day window to execute the heist and leave relatively unseen.
In total, the gang attempted to make 35 transactions, all sent through the Federal Reserve in New York where Bangladesh held its foreign reserves. Of these, five were let through and only one was detected as malicious. This gave the criminals a windfall of $81 million. A fraction of the billion dollars they were after, but still a huge sum of money.
How did the hackers access the bank?
Nish continued that the hackers were able to subvert the systems the bank were using by creating custom malware which they implanted into the network to cover up their tracks.
"We found some of the code used," explained Nish," and when we analysed it, we found how the attackers managed to manipulate the system using Swift Alliance Access."
Swift Alliance Access (SAA) is the main messaging software used by financial organisations. Bangladesh Bank has this software on its network and the attackers were able to run patches on the software so the code would modify Swift without being detected.
By overwiting logic in the memory, the attackers infiltrated the software by flipping just eight bits of code. "Similar to flipping a door on a vault," added Nish. Behind that, the attackers had access to billions of dollars in the accounts in the same way they would to cash inside a vault.
This code was where the attackers were reading and writing certain files, running under the OS-level administrator system. They had root access to manipulate the software and hide their tracks and were even able to manipulate the messages sent over Swift to mimic the kind of language used in the industry.
The link to the Sony Pictures hack
"This was not only a heist," continued Nish. "We were able to take some of the code and look for evidence of that code used elsewhere. This wasn’t a unique case.
"The Bangladesh Bank attack overlapped with other cases we investigated including the Sony Pictures attack from 2014. The Sony hack was attributed by the US to North Korea and this meant we had a clue to who was behind it."
What can banks learn from this heist?
Nish said that once the attackers got onto the Bangladesh Bank system, they could monitor what legitimate users were doing. Typically this would be segregated.
Nish also said some banks don’t do enough to test their system security once it's been set up and this ultimately comes down to training.
"The people we have defending our systems need training; how to spot attacks, how to set up security," said Nish. "There is always more you can do to secure systems from using new technology to new approaches, and businesses want to make sure they’re investing wisely.
"Having young, bright people doing the right training, getting involved with the hard technical skills and learning more communication is key. A lot comes back to communication. If you can find these people with these skills, we’ll all be in a better place."
Adrian Nish leads the Threat Intelligence team in BAE System’s Applied Intelligence division. His team tracks both criminal and national security threats to build a picture of the actors in terms of their motivation and capabilities. These insights feed the technical defensive systems deployed by customers as well as providing context for decision makers.
Adrian regularly advises Government and Business on evolutions in the threat landscape. He holds a PhD in Physics from the University of Oxford and is an Associate Fellow at the London-based defence think-tank RUSI.
Disrupting a modern cyber-criminal enterpriseこのフィリピンのカジノ口座の先にN県警の自動車税を口実にしたマネロンとダークネット決済基盤[Silk Road 4.0]があるわけですな。だぶん開発は現在も進行中w
- (which use)Infrastracture
- (to attack)Victims
- (& secretly)Stolen Assets
比の麻薬更生策を支援、首相が大統領に表明へ https://t.co/6P3K1HZgzc— 読売新聞 政治 (@YOL_politics) 2016年10月26日
比の麻薬更生策を支援、首相が大統領に表明へ 2016年10月26日 15時01分フィリピンはバングラデシュのサイバー銀行強盗の送金先で、マネー・ロンダラーの役割。 さらにフィリピン国民の２％(200万人)がシャブ中になっている。なのでシャブの売買代金のマネロンとダークネット決済基盤の需要が常にある。なにしろ1985年頃からシャブ中なのだ。
今回の攻撃は、Dynの研究者 Doug Madory が、NANOGでBGP HijackingやDDoSについて講演したことによって矛先が向いた様子。 明白な言論封鎖である。講演のビデオ→ https://t.co/3yncDMWf2x— Haruka Iwao (@Yuryu) 2016年10月21日
Bonaponta in 原発 2016年10月25日 午後 12:45 JST