The Market Monitor Minding the Nation's Business
An expert on cybercrime has expressed fears the criminals behind the $81-million cyberheist of the Bangladesh Bank may never be found, as the US government, through its Congress, started its own probe into the daring theft from the Federal Reserve in New York.
Sean Kanuck, the most senior official in charge of cyber security at the Office of the Director of National Intelligence, said there had been no official determination on who committed the cyber heist, one of the biggest ever.
“They may never be able to make one,” Kanuck said on the sidelines of the annual Shangri-La Dialogue, Asia’s premier security forum, held at the weekend in Singapore.
A US congressional committee has initiated a probe on how hackers managed to divert $81 million from Bangladesh Bank’s accounts at the Federal Reserve in New York to banks in the Philippines and in Sri Lanka in an attempt to launder the stolen money.
The February theft led to the resignation of the Bangladesh central bank’s chairman, and added to worries about the security of online bank data.
In a letter to the president of the Federal Reserve in New York, the Science Committee in the US House of Representatives asked for “all documents and communications” about the cyberattack and the security of the Fed’s SWIFT Alliance Access money transfer system.
In the attack, the hackers tried to steal a total of $1 billion through 35 international money transfer orders, 30 of which were stopped.
The Bangladesh Bank later recovered some money from a Sri Lankan bank and from a Chinese casino junket operator based in the Philippines.
“Weaknesses existed within the computer network of the Bangladesh Bank and based on research done by a third party, cyber criminals were able to exploit these vulnerabilities,” says the letter, posted on the committee’s website.
“Then, the cyber criminals covered their tracks using malware” that was able to manipulate money transfer request records as well as account balances as shown in logs, as well as to intercept messages verifying transfer orders.
He said he had some knowledge of the case but was not directly involved in the probe. Investigations of the heist are being coordinated by the US Federal Bureau of Investigation.
The authorities in Bangladesh, the Philippines and some other countries are also carrying out inquiries.
One fraudulent transfer to a Sri Lankan entity was reversed, but four transfers for a combined $81 million went to the Philippines and wound up being laundered through casinos and casino agents there.
“We have actually seen criminal enterprises that were able to bring together a range of capabilities, ranging from insider access to credentials, going through to people who were willing to go physically remove money from ATMs,” said Kanuck.
“There is a black market for different capabilities and you can actually assemble a team like in Ocean’s 11,” he said, referring to the Hollywood movie about a crime syndicate robbing Las Vegas casinos.
“On the other side of the table, you have a growing number of nation-states developing very broad capabilities to do different kinds of operations,” Kanuck said.
“The water is very muddy, it’s very complex.” Bangladesh authorities had said earlier they were considering suing the NY Reserve Bank over the loss of the funds.
The New York bank, however, has said it found no evidence its own systems were compromised in the attack, and attention increasingly has focused on suspected vulnerabilities in Bangladesh Bank’s cybersecurity.
“Any international cyber system is only as strong as its weakest link,” said the letter signed by the committee’s co-chairmen, Lamar Smith of Texas and Barry Loudermilk of Georgia.
“This is deeply troubling, and it is Congress’s responsibility to ensure, through its oversight, that the NY Fed is taking all precautions to protect American finances and aggressively execute its own role as overseer of SWIFT,” the letter says.
Amid the fallout, Bangladesh Bank Governor Atiur Rahman resigned in March, saying he had tried after the theft to close loopholes and boost the bank’s online security, but that the bank’s team lacked experience.
The Senate recently terminated the cyberheist probe but the report on the investigations has yet to be released.
The Bangko Sentral ng Pilipinas’ (BSP) policy-making Monetary Board (MB) also cancelled last week the certificate of registration or license of Philrem Services Corp. (Philrem), the remittance service provider which was the conduit for the conversion of the stolen funds into the local currency.
The Monetary Board likewise cancelled the certificate of registration as foreign exchange dealer/money changer/remittance agent of Werquick and Peso Remittance. In a statement, the BSP said the MB’s decision was made “due to significant violations of Section 4511N of the Manual of Regulations for Non-Bank Financial Institutions and Circular No. 706 dated 5 January 2011.”
The section pertains to registration, application for registration, applicability of other laws/regulations, required seminar/training, sale and purchase of foreign currencies by foreign exchange dealers and money changers, applications to sell/purchase foreign currencies by foreign exchange dealers and money changers, additional requirements, requirements for remittance agents, AMLC reportorial requirements, sanctions and industry associations.
“The BSP will also be working closely with other relevant government agencies, such as the Anti-Money Laundering Council and the Department of Justice, in their investigation of possible criminal and administrative violations under the Anti-Money Laundering Act and its Implementing Rules and Regulations, of the aforementioned entities, including their Directors and Officers,” the statement read.
Last April, in one of the Senate hearings on the said money laundering activity, BSP Deputy Governor Nestor Espenilla Jr. said there was a possibility that Philrem face sanctions as a result of violations of BSP rules on remittance agents since it failed to implement the know-your-customer (KYC) rule, which is required from BSP-regulated financial institutions.
Philrem owner Salud Bautista admitted in one of the Senate hearings that the company did not use the KYC rule on junket operator Kim Wong, who received part of the stolen money, when Philrem remitted money to the businessman.