Case Study Report Bangladesh Bank Heist 2016, Summaries of Technology

Download Case Study Report Bangladesh Bank Heist 2016 and more Summaries Technology in PDF only on Docsity! Case Study Report Bangladesh Bank Heist 2016 Group Name: Ontija x2 Dejan Simonovic 723125 Waqar Abbas 661342 Wessam Koraim 722265 Ahmed Massoud 722508 1. Introduction: There is an ever increasing risk of financial services and institutions being victim of a cyberattack, because a successful attack on these institution can yield a lot of reward. As the saying goes, “the bigger the risk - the bigger is the reward”, these institutions targeted by many non state and in some cases state actors who are looking to score big and finance their own agendas. According to an estimation, financial institutions are 300 times more likely to be attacked than any other business with an online presence. The possibility of cyber attacks on financial institutions and firms have driven them spent more and more on prevention from these attacks, 18 million dollars per firm versus 12 million dollars for firms across all industries. In other words, a normal american business experiences a cyber attack four million time per annum, while an american financial business faces a huge number of almost a billion attacks per annum. One billion cyber attacks per annum is a remarkable number to be faced by an institution, but the US Postal service wa attacked almost four billion times in 2016, which was, according to reports, used as a backdoor to attack rest of the departments operated by US government. One billion attack per annum amounts to almost over 2000 attack a minute or over 30 attacks during a single tick of a clock. During the past five years, the number of attacks, weather for the theft of money or the sensitive data owned by financial institutions have nearly increased three times Financial institutions have always been the primary customers of cybersecurity technology vendors and expertise. Consumer data and enormous credit to be moved around has made them a target for cyber criminals. The treat for financial disaster, reputation damage, regulatory consequences in the face of cyber attack, has motivated them to invest in the field and cybersecurity defensive capabilities. Banking and cybersecurity are getting more intertwined. New vulnerabilities are discovered daily and new exploits are emerging at very fast pace. In addition, consumers have been given many diverse ways for interacting with their money which, if not done properly and secured, can prove disastrous, for both client and the bank. The big question is how do you successfully target a financial institution and manage to get away with digital booty of almost billion USD? This requires time, extensive organization, expert specialized individuals, and exploiting your target’s weak spots, which is usually the human error. NGO, the spelling mistake was writing “Fandation” instead of “Foundation”. Moreover, this transfer which was sent to Pan Asia Bank in Sri Lanka was also noticed to be suspicious from the side of Pan Asia Bank because it was worth of 20 million USD which is an enormous transfer for an NGO. As a result, an employee sent back the transactions for further verification to the German bank, which then noticed the spelling mistake as mentioned and therefore the transaction was sent back to the New York Bank for further confirmation and hopefully the money was retrieved back. Finally there 4 remaining transactions that could not been traced as these transactions were headed to a bank in the Philippines. This was also planned by the hackers, because after the transaction has been sent to the Philippines the New York Bank sent a request to the this bank, however because of the new Chinese year celebration in the Philippines timing was not in favor of the Bangladesh’s bank, and the money was quickly laundered into casinos and cash, and hence it was untraceable. 3. Threat Analysis: Usually hackers try to steal individuals banking credentials but in our case the hackers aimed for a higher goal, the hackers were targeting the source of all money in bangladesh even worse, getting access to the SWIFT network connected device . Firstly, let's explain what SWIFT means. It stands for The Society for Worldwide Interbank Financial Telecommunication (SWIFT) which is essentially a secure network for enabling governments and financial institutional worldwide to send and receive information about financial transactions securely and reliably. According to wikipedia “The majority of international interbank messages use the SWIFT network. As of 2015, SWIFT linked more than 11,000 financial institutions in more than 200 countries and territories, who were exchanging an average of over 32 million messages per day. SWIFT has a highly secured network. However, it doesn’t hold responsibility for the security of its customers’ local SWIFT infrastructure, although it does provide assistance to ensure customers are able to manage cyber attacks.” Unfortunately the security measure at the bangladesh bank wasn’t good enough to stop this attack which has been patiently executed over a full year period. The attacker managed to get into the network through one of the employees mistake by opening an email that allowed them to install their malware into the computer then deployed a trusted windows software to monitor the bank employees activities. Using this initial foothold, attackers were able to move laterally across the bank’s internal network, they managed to compromise 32 systems before getting to the systems connected to SWIFT network. On these devices the hackers managed to get the local admin credentials and installed more monitoring software to learn how financial messages were sent and identify the different services and capture swift credentials and that was what they needed to initiate their transactions requests. And to make sure that their operation won’t be discovered they manipulated the printer connected to the swift system and prevented it from printing anything which made it easier for them initializing their requests without being caught. But the question is How could the bangladesh bank prevent or reduce the damage of this attack. They should have improved their security in many ways to not allow some stages of this attack. For example awareness for the employees that security starts with them and how they should not use, open external websites that could be suspicious, so a little bit of knowledge could have prevented the bank a loss of 81 millions dollar. Also this awareness will teach them not to use easy passwords just to be able to remember them. Also if the security experts in the banks made sure that they have good softwares that discovers malware and prevent them from being initiated that could have been an easy way to stop all this despite the human error. Another thing that security engineers at the bank could have done is removing admin rights from users so they can’t install any softwares on their computer unless they get the credentials for the administrator and make sure that these credentials are unique and not reused between all the machines to avoid giving away access to everything once these credentials are compromised. Also changing the credintional from time to time could have helped in preventing the hackers from keeping their access in the network for a long time, also if they had a chance to use multi factor authentication as a way to authenticate to the systems, it could have made it impossible for the hackers to get in the network or get higher privileges in the network easily. Another critical thing that should have been done is isolation for the important parts in the network for example the SWIFT part and making sure that there can not be any external access to these segments in the network. Finally Monitoring the users’ accounts activities and the network behaviour to be able to predicate and fight threats and also spot the weird or suspicious behaviours in the network that could have helped in preventing this horrible loss for the bank and also for the country. 4. The Aftermath: Electronic money transfer ended up in Philippines, where it was laundered and transformed to a cash using casinos. In the Philippines, two Chinese man were held accountable for opening fake accounts, but they were just middlemen. Still, they were crucial part of further investigation. The authorities believed that middlemen could lead them to the true culprits, but they fled to Macao where it was impossible to track them. Despite hackers’ efforts to delete traces of malware activities, malware was not completely removed, and cybersecurity experts were still able to conduct the analysis of the malicious code. Analysis conducted led experts to believe that this group was probably responsible for many similar attacks on financial institutions around the globe. Assigning privileges was obviously not done correctly and this incident clearly showed the role of privileges in serious security breaches. It also put the emphasis on the importance of proper security practices. Malware was sent probably by email. It collected passwords and usernames and was able to cover its own tracks. Bangladesh Bank systems were compromised by attackers and applications were modified so that attackers got access to the bank’s SWIFT terminals, which transfer payment orders between organizations and countries. With bank credentials in their possession, hackers managed to access SWIFT system. SWIFT is a corporate organization owned by the banks that use it. Hackers used SWIFT messaging system to send messages to the Fed. The realization was always that SWIFT weak points are at the end points in the banks. It was recognized that banks need to take care of their own physical as well as cybersecurity. In the SWIFT 5. Strategies to prevent future attacks: In this day and age of globalization, almost every business/organization of moderate to high footprint in the world, has an online presence. This helps them to reach their customer in every nook and corner of the vast market. This presence makes them vulnerable to cyber attacks that can cause financial and sometimes non financial damages, such as decrease in company value in the eyes of its existing customers, losing future perspective customers, damage to public relations. Sometimes these damages can go as far as bankrupting the victim institution. Such serious threat requires measure to safeguard and prevention of such attacks, and investing both time and capital in the technology which will help achieve this goal. Following strategies could be applied by the victim institution of this case study, Bangladesh Bank, to prevent any similar attack in the future. ● Control applications to prevent malware: The applications could updated with features that would be able to detect and prevent the execution of malware by restricting the application permissions or by using other similar methods. Email servers can be configured to scan the attachments and disable the hyperlinks in the email to prevent accidental executions. Unknown attachments or hyperlinks associated with lesser known domains could be tagged or reviewed by experts. ● Remove local admin rights and make credentials unique: Sometimes the institutions make a local administrator account to handle all high risk tasks and that account is usually used by many employees who have to perform those tasks. This presents a risk of credentials leaking out and paints a bullseye on the back of the institution. So the institution need to remove the local admin rights and make the credentials unique for every terminal. ● Secure, rotate and control access to privileged terminals: The institution need to rotate and change credentials of secure terminals periodically. This period can be as low as daily change in credentials. This will prevent and leakage of credentials and will resist and long term attack as discussed in this study. ● Use multi-factor authentication: The use of this technique is quite common today where a user who want to login into his account also has to verify his identity via another method, either through email or SMS authentication. This method can also be implemented by using two keys, one for the employee who wants to access a secure terminal and one for the manager who would have oversee the tasks being done on the secure terminal. ● Segment networks and isolate remote access: The network to which the secure terminals are connected can be segmented so they could no be accessed by the the terminals which exists in the other segments of the network. Furthermore remote access should be disabled for the secure terminals so that they cannot be accessed from outside the institution network, and even from outside their network segment which they do not belong to. ● Monitor user and account activity to detect threats: The institution should monitor user and account activities to rule out the possibility of and inside attack. The activities can be monitored via number of higher level applications.This would provide a much needed window to act fast and stop the unknown or unauthorized task in its track. ● Active intrusion Detection: The institution also need to invest in intrusion detection and prevention technologies. The institutions network could be monitored for any unusual activity that can amount as a cyber attack, and could be stopped before it incurs irreversible damage. ● Building Resiliency: Technology and expertise that can help in building the secure wall around the network of the institution is also available to hacker who can exploit it for their own needs. Cyber attack techniques are becoming more and more sophisticated with the passage of time. Nowadays the cybersecurity professionals don't ask the question “if we are hacked” but rather “when we are hacked”. So the institutions needs to build up protocols and process that it will follow in case of a cyberattack. ● Cybersecurity awareness: Besides investing into technology and expertise required to build up cyber defense around the institution, it is also necessary to invest into awareness and training of all employees regarding cybersecurity do’s and don’ts. No matter how state of art technology any institution have deployed, it could still fall down like a house of cards with a single human error. 6. Conclusion: Bangladesh bank was hit for almost 1 billion dollars of taxpayer money which is not a small amount for thirld world country like Bangladesh. It is hard to determine whether it was a stroke of luck of deliberate use of sanctioned companies to funnel out the money but it saved almost 90% of the amount by being tagged at New york band and Deutsche bank. Another thing of note is that the malware was present in Bank’s network for a long time and took its time and was used by the unknown hackers to plan and strategize the perfect moment to strike against the bank. SWIFT network is considered to be secure and used by almost all the financial institutions around the world, but here it was exploited to carry out the attack. This can be an example of the “the chain is as strong as its weakest link”. Investing in a protective cybersecurity technology is important in this day and age but investing in cybersecurity knowledge and process and teaching them to the human resource is equally important, because no matter how advanced and state of the art technology is, it is still operated by human beings who are prone to error.