Technicians from the global payment network SWIFT left Bangladesh’s Central Bank vulnerable to an attack that saw attackers steal $81 million, according to Bangladeshi police and bank officials speaking to Reuters.
In February, unknown hackers broke into the Bangladesh Bank and almost got away with just shy of $1 billion. In the event, their fraudulent transactions were cancelled after they managed to transfer $81 million when a typo raised concerns about one of the transactions. That money is still unrecovered. In April, we learned that preliminary investigations had revealed the use of cheap networking and a lack of firewalls, both contributing to the attack.
The new report sheds further light on the incident. The SWIFT organization is owned by 3,000 financial companies and operates a network for sending financial transactions between financial institutions. Technicians from the organization worked at the central bank last year when they were connecting the Bangladesh’s real-time gross settlement (RTGS) system to the SWIFT network. Mohammad Shah Alam, leading the probe for the Bangladesh police, told Reuters that the technicians doing this work left “a lot of loopholes” that were not subsequently addressed.
Bank officials speaking anonymously said that contrary to SWIFT’s own policies, the SWIFT system was connected to the bank’s main network, and hence to the Internet at large. Instead of using firewalls and/or VLANs to segment networks and restrict access, the technicians instead used a dumb unmanaged switch that they found unused at the bank, police said. This lack of separation left the SWIFT system much more exposed to hackers than it might otherwise have been.