Half successful and half failed: The $1 billion cyber hacking attempt on Bangladesh Bank
An anti-money laundering law that did not cover casinos. A weekend and a holiday in the targeted banks in at least three countries. A Swift system that worked. And human slip-ups that rang alarm bells but also consummated the biggest documented cyber heist and money laundering in the Philippines.
It is now being regarded as the world’s biggest attempted cyber heist on just one financial institution. An attempt to hack $1 billion from Bangladesh Bank’s account in the Federal Reserve Bank of New York was blocked, but not after $81 million had successfully made its way to a bank in the Philippines, the Rizal Commercial Banking Corporation (RCBC); and around $20 million attempted to enter a bogus nongovernment organisation (NGO) in Sri Lanka called Shalika Foundation. The fraudulent Sri Lanka transaction was foiled after correspondent bank Deutsche Bank returned the payment order to Bangladesh Bank to correct the erroneous spelling of “Fandation” in the NGO’s name.
The fallout has been immediate: The Bangladesh Bank governor has resigned upon pressure by the finance minister, while a trader linked to the fraudulent transactions has fled the Philippines.
How could hackers get the credentials of no less than a central bank, and go through the entire clearing process with the biggest banks in the United States, as well as through the Swift system, and successfully move $100 million offshore?
Malware is being pointed to as the culprit, but perhaps just common sense in a few areas may have prevented the heist.
Bogus development projects
According to the Philippine Daily Inquirer, which exposed the money laundering scheme, a $25-million transaction was supposedly ordered by Bangladesh Bank on behalf of the government’s Kanchur, Meghna and Gumti 2nd Bridges Construction project. The amount was remitted to the account of one Teodoro Vasquez purportedly for the payment of a “loan” from Japan International Cooperation Agency (JICA).
A payment for $30 million to Jessie Christopher Lagrosas, an IT professional, likewise under a JICA “loan,” was supposedly ordered on behalf of Dhaka Mass Rapid Transport Development Project.
A $6-million payment order on behalf of an IPFF project cell was supposedly to pay for Michael Francisco Cruz’s consultancy fees. Another payment worth $19 million was supposedly from Bheramara Combined Cycle Power Plan Development Project with Alfred Santos Vergara as beneficiary, citing “engineering consulting fees.”
It was later to be noted by a court as the Philippine government subsequently stepped in to investigate, that Vasquez, Lagrosas, Cruz, and Vergara had “no known source of income that could justify the several huge financial transactions.”
Perfect timing was the key
The account that was hacked was an account for international payments. Were these programmed payments that Bangladesh Bank had previously alerted the New York Fed to? Did the New York Fed also verify the nature of the accounts by actually calling the depository bank, RCBC?
Bangladesh has foreign currency reserves of $28 billion, nearly a third of which is held in liquid form in bank accounts at the New York Fed and the Bank of England, according to Bangladesh Bank officials. A withdrawal of $1 billion would have been suspicious for any custodian bank, and should have prompted even a very simple confirmation phone call or email. Even credit cards call you within 15 minutes if you suddenly make a very large purchase, such as an online ticket purchase. And even if the custodian bank does not guard its fiduciary role selfishly, it should at least have cared that such withdrawal would create a significant change in its own daily cash position.
Yet, the Wall Street Journal reports, the New York Fed in a statement said, “there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised. The payment instructions in question were fully authenticated by the Swift messaging system in accordance with standard authentication protocols.”
Essentially, the statement put the blame for the breach squarely on the client victim, Bangladesh Bank. And this is where the second dose of common sense could have arrested this heist: both Bangladesh Bank and the Federal Reserve Bank of New York kept the alleged hacking under wraps, until a newspaper in the Philippines exposed a money laundering case that the central bank was investigating.
The fraudulent deposit occurred February 5, a Friday, a nonworking day in Bangladesh, and into the weekend in the US, which otherwise could have allowed personal verification during regular banking hours. Bangladesh Bank only alerted its counterpart, the Bangko Sentral ng Pilipinas, of the missing funds on February 16, when it requested for help to recover the fraudulent payments made through local bank RCBC. In the interim, Bangladesh Bank had been frantically ordering RCBC to stop payment since February 8, a Philippine holiday, yet the money had already been withdrawn on February 5, and was already moving to Philippine casinos until February 13, being converted into chips then back to cash, before finally moving out of Philippine territory into a Hong Kong account (see Box for the timeline of the money laundering).
And this is where the third area of common sense failed. On February 5, RCBC bloated then deflated its cash position in 24 hours, and yet did not report the massive movement of currency to the Philippines’ Anti-Money Laundering Council (AMLC) based in the Bangko Sentral.
A second inward transfer of $870 million would have been credited the same way had an MT103 message through the Swift system not been received by RCBC, which said to stop all payments as they are allegedly from a hacked account of what turned out to be that of the central bank of one of the poorest countries in the world.
In the center of this maelstrom is a lone female Philippine branch manager in arguably one of RCBC’s richest branches. The branch manager is so low down the food chain, she claims, that she is unauthorised to credit such amounts to clients’ accounts. Curiously, all CCTV cameras in the subject branch were found to be not working on the day of the massive withdrawals, which adds to the belated discovery that all identification documents presented during the opening of the subject accounts almost a year ago were fake.
The Philippines is not new to the casino industry and has made no secret of its desire to rival Singapore and eventually Macau as Asia’s gambling haven. An elevated highway is being constructed near the country’s major airport that leads to Entertainment City, the 8 square kilometer property devoted to present and future casinos—the Philippines’ Las Vegas Strip, if you will. The elevated highway will spare casino high rollers from having to tackle Manila’s infamous traffic, as it leads directly from the airport doors to the casino doorsteps.
Most importantly, Manila’s gambling industry is untouchable by the country’s Anti-Money Laundering Act. Passed in 2013, Philippine senators shot down the provision that would have covered the gaming industry. As the Philippines readies for its national elections in May, former senator Panfilo Lacson, one of the law’s authors who is running for reelection, is vowing to strengthen the Act to be fully compliant with the standards of the Financial Action Task Force.
The Philippine casino industry once claimed it is unhurt by China’s clampdown on government officials hieing off to casino havens with ill-gotten wealth from government coffers. This is because it is largely the local players, the industry said, which support the gaming industry. Illegal gambling busts in the country have largely been illegal operators operating online betting without requisite licenses from the Philippine Amusement and Gaming Corporation. Of late there was the big news involving Chinese nationals who were caught with foreign ATM cards that are swiped in Philippine casinos to clean dirty money. Filipinos who lose their money in banks lose them to ATM skimming, or to hackers who access their accounts online. There has been no case so far, of the Philippine banking industry appearing to have laundered the proceeds of hacking. There is a very real possibility the amounts may have been suspected as dirty money; but not as proceeds of hacking of central bank reserves in a country whose per capita gross domestic product is lower than the Philippines’.
A report from Reuters says FireEye Inc.'s Mandiant forensics division is helping investigate the cyber heist, and investigators now suspect that malware could have been installed several weeks before the incident, which allowed hackers to learn how to withdraw the money. The attack was sophisticated, describing the use of a "zero day" and referring to an "advanced persistent threat", according to Bangladesh Bank officials.
A zero day is a vulnerability in software that has yet to be identified or patched. Hackers leverage this hole to plant malware on the target computer. Advanced persistent threat is a long-term attack on a system, where hackers remain inside the target, for months, and sometimes even years.
As reported in Philippine media, the five accounts where the $81 million were deposited were opened almost a year earlier, and did not see any activity until February 5 when they were credited with the $81 million total remittance.
The Philippine Senate started an inquiry on 15 March and has called the president and bank manager of RCBC, as well as the presidents of Philippine National Bank, BDO Unibank, and East West Banking Corp. These banks are other depository banks of the RCBC account holders.
Strengthening the weakest links
Perhaps because the Philippine financial industry is at such a nascent stage of evolution in cybersecurity that this fraudulent transaction succeeded. In fact, the first cybersecurity summit for the financial services industry in the Philippines was held only in November 2015, sponsored by the Bangko Sentral.
The Bangko Sentral governor himself notes that cybersecurity is not a technical issue.
“Cybersecurity is not achieved merely by deploying state-of-the-art security appliances and devices,” says Governor Amando Tetangco, Jr. “More than a technical issue, cybersecurity should be a top priority concern by the Board and senior management. Cybersecurity initiatives and investments must be supported at the highest level of management to ensure their sustainability and adoption across all processes within organizations. It is the ‘tone at the top’ that defines an institution’s cybersecurity culture.”
Perhaps it is easy to assume that big banks will be fortresses of security. The Bangladesh Bank account was kept in the United States’ financial capital. The multiple transactions were cleared by correspondent banks that are some of the biggest in the world, namely, Citibank, The Bank of New York Mellon, and Wells Fargo Bank. The transactions passed through what is regarded as a fail-safe Swift payment system.
Or perhaps, it is just a simple case of negligent branch banking. Swift is a superstructure but KYC is the flesh, the meat, the blood. This particular occasion was a wrong application of the know-your-customer rule, as one branch cleared the friend of a friend of a friend.
Relationships based on trust, called guanxi in Chinese, is important in business relationships. But this is not the translation of “know your customer.” In any language, a customer is a customer. And banking is all about keeping the trust—earning and keeping it, not flagrantly giving it away. The Philippine senate is delving into this intricate web of cross-border cyberfraud, money laundering, and banking compliance, inviting Governor Tetangco, who is also chairman of the Anti-Money Laundering Council; the chair of the Securities and Exchange Commission; the Insurance Commission head; the executive director of the AMLC secretariat; as well as the CEO of the Philippine Amusement and Gaming Corporation to the probe. The Senate has also called the presidents of the three casinos in question, as well as the president of Philrem Service Corp., the remittance agency used in the scam. Lastly, all six bank account holders have been summoned.
But as legislators probe compliance and complicity, they will also need to take a long, hard look at why, in those very chambers, politics seems to have favored laws that place a certain industry so prone to abuse, beyond the pale of the law.
|Box: Timeline of the $81 million–cyber bank heist and laundering|
|May 15, 2015||Enrico Teodoro Vasquez, Alfred Santos Vergara, Michael Francisco Cruz, and Jessie Christopher Lagrosas open US dollar bank accounts in RCBC with an initial deposit of $500 each. The accounts were untouched until Feb. 4, 2016.|
|Feb. 4, 2016||Some $81 million worth of funds from the account of Bangladesh Bank (BB), the central bank in Bangladesh, at the Federal Reserve Bank of New York was ordered transferred to four bank accounts in RCBC. Some $30 million was transferred to Lagrosas, $19.99 million to Vergara, $25 million to Vasquez, and $6 million to Cruz. The amounts were credited to the accounts via straight-through process after the transactions passed internal validation criteria. On the same day, Lagrosas withdrew $22.73 million and deposited it in the US dollar account of William Go DBA Centurytex Trading, which was opened only on that day.|
|Feb. 5–13||Remittance company Philrem remitted the funds that were converted into pesos in various tranches to the bank accounts of Chinese national Weikang Xu, Eastern Hawaii Leisure Co. and Bloomberry Hotels Inc. (Solaire Resorts).|
|Feb. 8||(Chinese New Year). BB requested RCBC to stop payment and refund the funds, and if the funds had been transferred, to “freeze or put the funds on hold,” noting that the payment order was fraudulent. However, this was a nonworking holiday in the Philippines.|
|Feb. 9||RCBC received a Swift message from BB requesting to stop payment and freeze the accounts for proper investigation. However, withdrawals from the accounts totaling $58.15 million had already been processed by the Jupiter Street branch of RCBC. Some $15.2 million was deposited in the account of Philrem, $42.93 million in Go’s dollar account and another $20 million in Philrem.|
|Feb. 16||BB Governor Atiur Rahman sought the assistance of his Philippine counterpart, Governor Amando Tetangco Jr. of Bangko Sentral ng Pilipinas, regarding the loss of $81 million from the BB account with the Federal Reserve Bank of New York. The BB said the Feb. 4 Swift payment instructions issued in favor of RCBC were “fraudulent.”|
|Feb. 19||The Anti-Money Laundering Council (AMLC) starts probe of bank accounts relating to Weikang Xu (believed to be a junket operator), Eastern Hawaii Leisure Co. and Solaire Resorts.|
|Feb. 29||Inquirer business reporter Daxim Lucas reported that financial regulators were investigating a money-laundering scheme that brought to the country an estimated $100 million stolen by computer hackers from Bangladesh.|
|March 1||The Court of Appeals, acting on an urgent petition from the AMLC, ordered four banks—RCBC, East West Bank, Banco de Oro, and Philippine National Bank—to freeze for six months the bank accounts of Michael Francisco Cruz, Jessie Christopher Lagrosas, Alfred Santos Vergara, Enrico Teodoro Vasquez, William So Go, Centurytex Trading, Kam Sin Wong (aka Kim Wong), and all related accounts.|
Source: Philippine Daily Inquirer. 2016. “Timeline: $81-million money laundering.” http://newsinfo.inquirer.net/772258/timeline-81-m-money-laundering#ixzz42sSNSqv3
Keywords: Money Laundering, SWIFT, RCBC, Bangladesh Bank, Federal Reserve Bank Of New York, Citibank, Wells Fargo Bank, Deutsche Bank, Bank Of New York Mellon, Cyber Threat, Cybersecurity, Bangko Sentral Ng Pilipinas, Hacking, Malware, Zero Day, Advanced Persistent Threat, Anti-money Laundering