Cyberheist risk is here to stay
IN FEBRUARY 2016, THE CENTRAL BANK OF BANGLADESH WAS TARGETED IN AN ATTEMPTED CYBERHEIST OF $951 MILLION.
Imagine, just for a moment, stealing $951 million. What factors would you consider in accomplishing such a thing? Identifying the location of that much cash in one place for a start. Then gaining access to it, overcoming defence-in-depth including reinforced walls, floors and ceilings, 24-hour closed circuit television, combined with lighting, movement sensors, sluice gate entry and exits, vehicle barriers, time lock vaults, and a guard force which perhaps also uses dogs. Plus maybe a Quick Reaction Force provided by paramilitary law enforcement, or the military itself, not to mention their weapons, training and capabilities. How would you transport that amount of cash, and to where? A small truck and a number of additional criminals are needed to move the 9.5 tonnes of $100 bills, if using one vehicle, to a safe location. Provided you were not followed and caught in transit, that is. On balance, the likelihood of success could be considered as rather small.
So we can understand why the criminal mind finds it so attractive to attempt a cyberheist. Unfortunately, such minds are usually first to take advantage of loopholes in technology and processes. Add in good planning, the ability to transfer funds across international borders to relatively safe locations, an insider or two within the bank to help facilitation and we can see that the odds of success are much increased. Criminals will naturally target organisations perceived to have less defences, or less effective defences, in place than similar organisations.
In February 2016, the Central Bank of Bangladesh was targeted in an attempted cyberheist of $951 million. The consequences were huge: a national embarrassment, resignation of the chief governor of the Central Bank, resignation of the president of a commercial bank in the Philippines, and the financial regulator of that country imposing its largest ever fine of $52 million upon that commercial bank. External experts were required to find out what had gone on and how. As the story slowly emerges, it provides illumination into the planning required for activity of this scale. It was not the first attempt. Banks in Vietnam and Ecuador had previously been targeted, and what may be considered as a rehearsal, again another Bangladeshi bank in 2013 where $250 thousand was stolen.
Planning and preparation included opening numerous bank accounts using fictitious names in Sri Lanka and the Philippines, and probably other countries too. Having various routes to help change the stolen funds into various other forms, such as different currencies or casino chips, was required. This throws smoke across the money laundering trail, and delays the law enforcement pursuit, which inevitably follows, slowed even more by those same international borders.
Open source information indicates that electronic entry was gained to the Central Bank’s network by a criminal party from outside the country. This may have been facilitated by simple negligence or a lack of knowledge on the part of a bank employee, or by an insider actively leaving open a method of entry for them to gain access. Malicious software was installed a few weeks before the cyberheist, and appeared to harvest sensitive information concerning the SWIFT (Society for Worldwide Interbank Financial Communication) network, which is used by 11,000 banks around the world. It allowed the criminals to mimic a legitimate organisation and issue instructions for the transfer of funds from the Central Bank, across international borders, to other financial firms, which ultimately had those fictitious accounts.
The malicious software also massaged the confirmation messages required of a normal SWIFT transaction, by not allowing those messages to be printed. Anomalies would otherwise have been noticed by bank employees on the printed copies. A delay in printing was all that was required. The criminals needed to accelerate the movement of funds and change it into other monetary forms, so there was a specific time window in play. This was lengthened by conducting the cyberheist immediately before a weekend. The criminals needed to maximise their opportunity before the window was closed by any of a number of legitimate actors noticing something amiss.
Noticing anomalies did not take long, helping limit that window of opportunity. Transactions routed via Deutsche Bank and Pan Asia Bank were queried by those firms. Five transactions totalling $101 million were successfully withdrawn from a Bangladesh bank account. Of this, $81 million was routed to the Philippines, where all but $18 million evaporated into other monetary forms and then disappeared. Why route to the Philippines? Because there are gaps in its laws regarding the casino industry, hence changing funds into gambling chips, and so forth. Another $20 million routed to Sri Lanka was recovered successfully. The Federal Reserve Bank of New York blocked a further 30 transactions, at the request of the Central Bank of Bangladesh, totalling $850 million.
It is sobering to think of the detrimental impact to the country of Bangladesh, should all $951 million have disappeared. Massive economic consequences, no doubt, most probably leading to social ones too. Stealing $63 million is not a trivial amount. We can be sure that there are others who will look to penetrate any weaknesses in a central bank’s defences, facilitated by willing or coerced insiders. No doubt India is doing all it can to dissuade criminals from targeting its critical national infrastructure and assets, however a thorough audit of its current cyber defences would be a prudent measure. The cyber heist risk is here to stay. Peter Probert is Director of Spearhead Advisory Ltd. Self styled vigilante groups claiming allegiance to the Sangh Parivar appear to be having a rollicking time. Not a day passes without news being flashed on multiple TV channels of right wing extremists targeting innocent people in the name of cow protection and patronage for preserving our culture and heritage. What is simultaneously alarming and disconcerting is that neither the Central government nor the state governments were doing enough to provide security to the citizens to uphold the rule of law. Miscreants are having a field day and getting away with it because their actions are sought to be justified on the ground that it is their interpretation of religion and mythology.
While Prime Minister Narendra Modi is working overtime to project a positive image of the country, there is a counter narrative running concurrently in our own land. Appallingly, a high court judge has the audacity to state that the sacred cow was both a physician and a surgeon. He quotes further from scriptures to support and emphasise his conviction on the peacock and its method of procreation. Cattle rustlers, in the name of safeguarding the cow, rough up and attack ordinary and poor farm hands who are helping to transport the animals from one place to the other. Self proclaimed defenders of feminine rights, thrash boys and girls who are sitting peacefully to profess their commitment in maintaining the dignity of girls and women. The top court passes an order prohibiting the sale of liquor within 500 metres of any national or state highway in order to stop or curb drunk driving.
In fact, it is for all the wrong reasons that India is in the news, both nationally and internationally. The short point is: given this scenario, which investor would deem it viable to set up industries of any nature or start-ups, the government so keenly is championing? Whatever is happening is contrary to the vision of the Prime Minister, who desires to elevate our country to the status of a superpower. If there is no rule of law and the life and property of the citizens is threatened constantly by vigilante groups, who is going to make investments in new projects? If there are no fresh enterprises, there would be no jobs.
It is simple for BJP president Amit Shah to claim that the government cannot give jobs to all its citizens, but he conveniently forgets that Modi had himself promised employment to millions during his tenure. As things have turned out to be, the number of people who have lost their jobs far exceeds those who have been recruited in the past three years. This trend will not reverse unless the government plays a pro active role and creates an atmosphere conducive for the growth of industry and agriculture.
True that many things were not right even during the tenure of previous regimes, but that is no excuse for insufficient undertaking. Immense hopes are fastened to Modi, who is seen by the majority as an unparalleled leader. Therefore, it is incomprehensible why peripheral issues are overshadowing pre-eminent matters. The looming question: Is there a segment that is attempting to navigate the agenda away from the core essence of the Prime Minister’s assurances?
It is baffling why the Sangh is not openly coming out to admonish these bigots and dogmatists who are trying to impose their (mis)beliefs on the rest of the people. Scientific temperament is a pre-requisite and it is deplorable that Krishan Gopal, who is the RSS interlocutor with the BJP with a science background, has been unable to drive some logic in this kind of abysmal thinking. No one expects these people to stop believing in subjects close to their heart, but at least they should strive not to thrust these ill founded theories on others.
In some quarters, there is a sneaking suspicion that all this is being done with a specific purpose. The beef debate is aimed at the Muslims in order to polarise the Hindus. The Dalits are being targeted because many upper caste people do not consider them to be part of Hindu society. In short, the political objective is that in the march towards the Hindu Rashtra, there has to be an isolation of Muslims and Dalits. Is the RSS, which talks of Akhand Bharat or Greater and Unified India, supporting this view? Does this not infringe the concept of what the Sangh has always stood for that India is one nation and one people? Then why this divisive politics?
Ironically, the situation can best be described in Iqbal’s words. “Oh Fikr Kar Nadaan, Mussebat Aaanewali Hai, Teri Barbaadiyon Ke Mashware Hain Aasmanon Mein, Na Samjhoge To Mit Jaoge Hindustan Walo, Tumhari Dastaan Tak Na Hogi Dastaano Mein (Wake up you ignorant Beings, disaster looms ahead. If you cannot foresee the peril in the dark and overcast sky, you are hurtling towards sure doom. Your fate would be such that you would lose your relevance in the coming time).”
In the overall interest of the nation, the Prime Minister must step in and issue instructions to contain these obscurantist and anachronistic characters. India does not need them in our quest for quantifiable heights. Between us.