It was almost a devastatingly effective cyber-heist. Hackers compromised the Kathmandu-based NIC Asia Bank this fall, fraudulently transferring $4.4 million to destinations in at least six other countries, according to local media reports. All but $580,000 of the funds were recovered by mid-November, after Nepal asked the destination countries to block the transfer.
It’s the latest example of a series of heists in which cyber criminals exploit a variety of weaknesses focused on specific banks’ access to the SWIFT global interbank messaging service, which is used to direct transfer of money among financial institutions.
The most notorious of this series occurred in early February 2016 at the Bangladesh Central Bank, when attackers compromised multiple systems of the bank and sent a number of payment instructions over its interface with the SWIFT network.
These instructions totaled $951 million, of which $101 million was processed by the Federal Reserve Bank of New York. Of that $101 million, the fraudsters were able to successfully launder $81 million of the money largely through casinos in the Philippines, while $20 million of the purloined funds was recovered after it was diverted to Sri Lanka. The $81 million is still unrecovered, less than 10% of the original objective but still making it one of the largest bank heists in history.
The size of its payouts isn’t the only thing that distinguishes this heist scheme as different from ordinary cybercrime. This scheme has targeted banks from East Asia to South America, but the scheme features a number of elements combined in novel ways, and at scale:
- The attackers exploited seams between cyber controls, anti-money laundering (AML) controls, anti-fraud measures and weaknesses in monitoring for insider threats, for example, exploiting anti-fraud measures not tailored to this kind of cyber threat;
- The attackers demonstrated detailed knowledge of how each specific bank interacts with funds transfer systems;
- The attackers used malware tailored for the specific environment (and thus not likely to be detected by broad-release anti-malware systems);
- The attackers gained persistent access not just to the funds transfer systems themselves, but to detection and response mechanisms, enabling the attackers to subvert those systems specifically designed to counter them;
- Despite the global nature of this scheme, the attackers took advantage of details in such a way that indicates insider knowledge of each targeted bank.
This scheme reflects three trends in cybercrime that should concern both financial institutions and policymakers alike. First, the factors described above combined to create a formidable threat targeting entire business processes instead of individual systems connected to the Internet.
Moreover, the business processes that were exploited criss-crossed over cybersecurity, AML, anti-fraud and insider threat controls, taking advantage of the fact that in many institutions, those security systems are “siloed” and not well integrated. Traditional approaches to security controls, which focus on one process, threat, or set of vulnerabilities, are not effective against threats that see the whole environment and spot how weakness in one area can allow access to others.
Second, this scheme reflects a movement toward thieves targeting institutional money-movement systems, going beyond consumer systems. To be sure, thieves are not likely to abandon relatively low-risk, easy, but low-payout schemes such as individual identity theft and consumer credit card fraud. However, an emerging trend is to target mechanisms by which large institutions move several billions, even trillions of dollars – access to the SWIFT system is one such example.
Others include SWIFT’s counterparts, corporate and institutional lines of credit, clearinghouses and other financial market utilities, and corporate fraud by inducing businesses to unwittingly transfer corporate funds to thieves’ accounts (e.g., fraudulent emails from legitimate corporate channels, co-opted by the thieves, ordering the transfer). The result is less frequent, but far larger heists with more dramatic business impact, media attention, and regulatory and shareholder scrutiny. The Bangladesh Bank scheme sought to steal $1 billion in a single heist, a dramatic objective by any measure.
Third, this scheme reflected a change in the nature of thieves: nation-states getting into areas formerly the province of “traditional” cyber criminals. Iran’s 2012-2013 distributed denial of service (DDOS) attacks on Wall Street banks (and South Korean banks seeing similar attacks by North Korea during the same period) indicated that nation-states will use attacks on the financial system as instruments of foreign policy. However, many attribute the Bangladesh Bank heist to North Korea.
Former NSA Deputy Director (and Cipher Brief Cyber Advisory Board member) Rick Ledgett remarked in March 2017 that “nation-states are robbing banks, and they’re doing it with computers.” This makes sense in that such heists are relatively low-risk ways for pariah states like North Korea to raise desperately-needed hard currency.
Conversely, “traditional” cyber criminals are gaining increasing access to tools traditionally the province of nation-states. Writing on behalf of the SWIFT Institute, William Carter noted this growing overlap, or even blurring of lines, between nation-states and cybercriminals, as a key driver of organized criminal groups adopting nation-state tools and tactics. Carter describes some governments’ cyber units allowing criminals to “monetize their capabilities and infrastructure,” while in other governments, cybercriminals are getting directly involved in national politics.
This trend places extremely risky tools, motivations, and opportunities into the hands of a wider, more potent range of hostile nation-states and cybercriminals alike – including hacktivists.
These trends combine in worrying ways to introduce qualitatively and quantitatively different levels of systemic risk into global financial services, especially with nation-states getting into the act. Already regulators are concerned about new vectors of risk with increasing automation in the financial services sector.
The U.S. Treasury Department released an October 2017 report calling for greater regulation of financial market utilities, agencies that process the transfer, payments or settlements of financial transactions. These utilities are central to the smooth functioning of the global financial system, and trust and transparency are central to the smooth functioning of these utilities. U.S. National Economic Council Gary Cohn echoed the concerns of the Treasury report, stating he sees a “major risk” evolving in clearing houses, given the volume, values, and concentration of transactions they handle, the risk inherent in that concentration, and their interconnectedness to the global financial system.
The effect on the financial system would be unprecedented and devastating if financial market utilities were suddenly to lose the trust of participants through opacity into risk aggregation and consequent inadvertent failure, let alone a nation-state or hacktivist group intentionally targeting financial systems for political purposes.
Massive institutional theft or politically motivated attacks on integrity have the potential to create significant instability that could cascade throughout the global financial system. As Carter notes, geopolitical conditions are ripe for massively disruptive attacks on the global financial system. As nationalist politics and tensions rise, the diplomatic environment becomes more confrontational, historical reconciliation and globalization efforts collapse, distinctions further blur between state hacking groups and organized crime, and nation-states and hacktivists have more to gain from perpetrating systemic disruption.
There are opportunities for both financial institutions and governments to confront the risks posed by these trends. Financial institutions will need to close gaps horizontally and vertically. Horizontally, attackers exploit seams among cyber, AML, and anti-fraud controls. Banks need to close these gaps by seeing these threats from a more integrated financial crimes lens, and consolidate siloed security practices and capabilities, managing these threats as business risks.
Vertically, large financial institutions will need to extend assistance to smaller, less sophisticated members of the global financial community. As Carter notes, smaller financial institutions serve as entry points for criminals into the global system. Larger financial institutions will need to take on the responsibility for strengthening weaker banks to shore up the broader global financial system.
Governments will need to extend a hand to large global financial institutions, to ameliorate or knock down regulatory barriers, such as the uneven global patchwork of privacy regulations, that inhibit larger institutions from helping smaller cross-border institutions. Governments also have an opportunity to foster international norms, that will at least have a potential effect on the behavior of other governments.
Until very recently, U.S. diplomatic efforts focused on the application of international law and the development of norms, or rules of the road, for cyberspace. A group of government experts at the UN endorsed the norm that states should not interference with critical infrastructure during peacetime. Definitions of critical infrastructure differ by states however, and it may be in the U.S. interest to commit explicitly not to undermine or manipulate the integrity of financial data or systems in peacetime or war, as Tim Maurer, Areil Levite, and George Perkovich have recently argued, writing for the Carnegie Endowment.
Financial services have benefitted immensely from globalization. Cyber risk, or the potential harm that can come from financial services connected to the internet, has been an undesirable consequence. The global financial system functions on equal measures of trust, security, and privacy. On the other hand, the internet was built on trust, not security or privacy, and some parts of cyberspace are harmful to all three.
The opinions and positions expressed herein are solely his, and do not reflect the policies or positions of PricewaterhouseCoopers, its clients, or any other of Neal’s present or past affiliations.