DHAKA (Reuters) - A top investigator into the electronic theft of $81 million from the Bangladesh central bank is turning his attention to some IT technicians from the bank whom he suspects hooked up its transactions system to the public Internet, giving hackers access.
In a series of interviews this month, Mohammad Shah Alam, a Bangladesh police deputy inspector general who is heading investigations in Dhaka, went into some detail about how insiders at Bangladesh Bank may have helped in the execution of one of the world’s biggest cyber-heists last February.
For instance, Alam said he was focusing on why a password token protecting the SWIFT international transactions network at Bangladesh Bank was left inserted in the SWIFT server for months leading up to the heist. It is supposed to be removed and locked in a secure vault after business hours each day.
The failure to remove the token allowed hackers to enter the system when it was not being monitored, first to infect it with malware and then to issue fake transfer orders, he said.
Alam’s comments follow months of assertions by Bangladesh authorities that central bank officials were guilty of nothing more than negligence in the heist, in which hackers moved money out of the bank’s account at the Federal Reserve Bank of New York and sent it to individual accounts in the Philippines.
Reuters could not independently confirm Alam’s claims. He declined to name any of the suspects.
No one has been arrested and Alam did not provide any further evidence to back up his assertions.
Bangladesh Bank spokesman Subhankar Saha declined comment on the investigation. He said the bank has not been told of any plans to detain any of its employees.
The U.S. Federal Bureau of Investigation, among the agencies involved, had no comment on Alam’s claims. Interpol was not available for comment.
A spokeswoman for SWIFT declined to comment.
Nearly 11 months since the audacious robbery that undermined confidence in the global SWIFT transactions system and sent tremors through the global financial community, there is no sign if any of the half-a-dozen investigating agencies involved are close to cracking the case.
No suspects in the Bangladesh central bank had been arrested, Alam said, because investigations were incomplete. They were under watch and their movements monitored, but he was awaiting “specific information” on any communications they may have had with the hackers or with those who received the funds.
Help has been sought from police in the Philippines, Japan, Sri Lanka and China, countries where the hackers are believed to have links, he said.
Bangladesh police had previously blamed a group of contractors hired by the SWIFT transactions network for making its computer system vulnerable, a charge denied by the Belgium-based cooperative. Alam said the investigation had instead shown that central bank IT technicians were most likely to have provided the inside help. Asked if he had any proof, he said: “There were a number of other things, which if the Bangladesh Bank people had not done, the hacking would not have been possible.”
Alam said he believed the IT technicians connected the Bangladesh central bank’s SWIFT network to the public Internet last year while linking the network to the bank’s domestic payments system, the Real Time Gross Settlement System (RTGS). SWIFT is used only for international transactions.
Linking it to the Internet made the highly secure network accessible from any outside computer.
The work on linking SWIFT to the RTGS was supervised by SWIFT contractors but carried out by Bangladesh Bank technicians, Alam and a bank official said.
It was not known who was responsible for leaving the token that was supposed to protect the SWIFT system inserted in the server, Alam added.
At least half-a-dozen bank officials shared responsibility for safekeeping of the token, he said. Once in the system, the hackers introduced six types of malware which captured keystrokes and screenshots and also delayed detection of fraudulent transactions, according to a report by Fireye Inc’s Mandiant forensics division, which investigated the heist. Parts of the report were seen by Reuters for the first time this month.
The malware was customised for Bangladesh Bank’s systems, Alam said, adding someone must have provided the hackers with technical details about the central bank’s computer network. On the evening of Feb 4, the hackers initiated fake transfer orders which sought to move nearly $1 billion from Bangladesh Bank’s account at the New York Fed, mostly to accounts at the Philippines-based Rizal Commercial Banking Corp (RCBC). They needed two types of passwords to carry out the transactions - the hardware token and additional credentials used by bank officials. These password credentials were either given to them by someone or were captured from previous transactions by the malware that logged keystrokes, Alam said.
Many of the transfer orders initiated by the hackers were blocked or reversed by intermediary banks, but $81 million made it to accounts in fake names at RCBC. Most of the funds then disappeared into Manila’s loosely regulated casino industry and have not been tracked down since.
The Philippines’ Anti-Money Laundering Council has accused seven bank officials of money-laundering in a complaint filed at the country’s Justice Department.
The council has also filed complaints of money-laundering against Kim Wong, a long-time RCBC client and a casino owner and agent in Manila, an associate of his and the owners of a remittance agency. No links with the heist have been proven and no one has been arrested.
Additional reporting by Serajul Quadir in Dhaka, Karen Lema in Manila, Tom Bergin in London, Mark Hosenball in Washington; Editing by Raju Gopalakrishnan