Cybertheft attempt on Indian bank resembles Bangladesh heist
Similarities between hacks underscore concerns about rash of recent cyberattacks on financial institutions world-wide
Cyberthieves who attempted to steal $170 million from an Indian bank last July used methods that strongly resemble those of an earlier, successful $81 million heist targeting Bangladesh’s central bank, according to people familiar with the matter.
The similarities between the Indian and Bangladeshi hacks underscore concerns about a rash of cyberattacks in recent months on financial institutions around the world, including banks in the U.S., Mexico, Poland and the U.K. Some of these hacks have been linked to groups affiliated with North Korea, cybersecurity specialists said earlier this year.
State-owned Union Bank of India Ltd.’s EQUNIONBANK 1.69% computer system was infected with malware that allowed thieves to authorize the transfer of around $170 million from the bank’s account in New York to private accounts in five locations, people familiar with the matter said. Fast detection by bankers allowed the Indian lender to prevent the money’s release.
Investigators studying the Indian hack said similar tactics and coding were used by computer criminals who attempted to steal nearly $1 billion from Bangladesh’s account at the Federal Reserve Bank of New York in February of last year. Many orders had been filled with misspellings and formatting errors, and the Fed blocked some of the withdrawal—but the thieves were able to move about $81 million to accounts in the Philippines.
U.S. prosecutors are building cases that would accuse North Korea of directing the Bangladeshi attack. North Korea’s mission to the United Nations didn’t respond to requests for comment.
This account of the Union Bank of India hack is based on interviews with Arun Tiwari, the bank’s chairman, and several other people familiar with the incident. SPECIAL
The attack on Union Bank began in late July last year when an employee opened an attachment on an email that appeared to have come from India’s central bank, Mr. Tiwari said. That action activated a piece of malware that allowed the hackers to steal Union Bank’s access codes for the international messaging system banks use to authorize cross-border transactions, known as the Society for Worldwide Interbank Financial Telecommunication, or Swift.
The hackers then used those codes to send authentic-looking instructions to a Union Bank account at Citigroup Inc. in New York, which handles processing of wire transfers and clears dollar transactions. The instructions ordered around $170 million to be sent to accounts in Thailand, Cambodia, Australia, Hong Kong and Taiwan.
The money went to several shell companies associated with Asian—in particular Chinese—organized crime syndicates, according to a person familiar with the matter.
The cybercriminals behind the Bangladesh heist similarly stole bank codes to place fake transfer orders. Swift in November said banks using its network had sustained fresh attacks from hackers since the Bangladesh heist. Swift declined to comment on whether Union Bank of India was one of those banks, although Mr. Tiwari said Swift officials have been working with Union Bank since the day of the hack.
Swift generally creates two reports per transaction: one sent to the originating bank, in this case, Union Bank, and another to the so-called correspondent bank handling the overseas transactions, which was Citigroup. The correspondent bank then forwards its report to the originating bank the next day, so it can cross-check the transactions.
On July 21, an employee in Union Bank’s treasury department who was comparing the reports found that Citigroup had executed six transactions that Union Bank hadn’t intended to authorize. He notified senior executives of the mismatch, and the bank immediately began trying to get the money back.
“This [office] was a war room that day,” Mr. Tiwari said.
Union Bank recovered the money sent to Thailand, Cambodia, and Australia— more than half of the total—within 24 hours. It got a court order in Hong Kong to retrieve the rest of the funds, and had gotten all of its money back by July 24.
Employees on Citigroup’s cybersecurity team observed similarities in how the malware behaved in the Union Bank attack and that used in the attack on Bangladesh’s central bank. Citigroup is an intermediary bank for the New York Fed, which gives it visibility into certain transactions.
Ernst & Young LLP, which was hired by Union Bank to investigate the hack and its aftermath, also concluded it had been executed similarly to the attack on the Bangladesh central bank, according to Mr. Tiwari. In both cases the malware reached the target banks by emails addressed to employees, and took control of Swift functions at the originating bank, a person familiar with the attack said.
Both hacks also disabled computer systems that create automatic logs of the transactions, another person familiar with the matter said.