In the book “The Power of Kabbalah,” a kind of user’s guide to teachings about life that date back almost a thousand years, a litany of twelve rules-to-live-by holds one piece of especially good advice, in Rule 6:
"Never—and that means never—lay blame on other people or external events." Always view the mishaps that befall you as being your own fault.
Imagine if that mature, responsible ethos ruled the corridors of banking and the law, where, instead, the Blame Game reigns supreme. Screw up something on a particularly large scale, and always it is someone else’s fault. And so it is that, three years after the Bangladesh central bank let itself get ripped off in one of the largest hacking heists ever, it continues to blame others for its misfortune.
The Bangladesh Bank, in fact, may even file a lawsuit trying to blame others for the brazen and all-too-simple online theft of some $80 million that occurred on its own watch. The statute of limitations on the case expires soon, and the South Asia national bank has made noises about suing the Goliathon it blames in this heist: the Federal Reserve Bank of New York. [Not to mention a bank in the Philippines that itself got hornswoggled in this caper, betrayed by a rogue employee.]
Blame anyone, in other words, other than yourself. Distinctly un-Kabbalahistic.
The chairman of the Bangladesh central bank, who had withheld disclosure of the breach for a month before telling the Bangladeshi government, resigned soon after the story went global. Later he gave an interview to The New York Times, insisting the theft wasn’t his bank’s fault and casting blame on the New York Fed, in particular.
Yet a hack attack goes nowhere if it gets blocked at the source, and at the Bangladesh Bank, security was at best an afterthought. The Bangladesh police investigation of the case notes that the bank’s own tech staff “significantly contributed to weaken the security” of the bank, documents show.
The bank used $10 wireless routers to link office computers to the local network. Virtually no protection was in place to secure the link between the office network and the terminal for accessing Swift, the global banking network coursing with electronic transfers among eleven thousand banks around the world. This lapse offered thieves a simple on-ramp into the Swift system.
Hackers were able to install malware inside the Bangladesh Bank’s network to gather usernames, passwords and protocols and steal bank credentials to infiltrate Swift. Their custom-made tools, police said, imitated a member account to interact with Swift software, letting them delete transactions to hide them and take steps to cover up their actions.
The thieves, masquerading as the Bangladesh Bank itself, were able to wire instructions to the New York Fed, where Bangladesh keeps its reserves, sending in seventy requests for wire transfers totaling almost a billion dollars. Half the requests were rejected instantly for entry errors. As the New York Fed addressed the remaining thirty-five, it obligingly wired a total $81 million to four accounts at a bank in the Philippines, and it set up a $20 million transfer for a fifth account in Sri Lanka.
Then the New York bank flagged some of the bogus payment instructions for potential connections to a Greek shipping firm on a watch list.
The New York Fed queried Bangladesh Bank to clarify the suspicious transfers. Documents show that the New York Fed also notified intermediary banks involved in the transfer routing: Bank of New York Mellon (BK), Citibank (C), Wells Fargo (WFC).
The Sri Lanka bank and Deutsch Bank (DB), an intermediary in the transaction, blocked the $20 million transfer because the thieves misspelled the name of the fictitious “Foundation” receiving the funds as “Fundation.” That money was returned to the New York Fed, which restored it to the Bangladesh Bank’s reserves. But Bangladesh Bank officials went more than 24 hours before seeing the New York Fed’s first warning message, and it would be another 48 hours before they could reach officials at the New York Fed to alert them that all the transfer requests were fake.
By that time the $81 million in the accounts in the Philippines had been transferred to local casinos, which are exempt from laws against money laundering. The booty disappeared.
How could this have been allowed to happen? The hacker bandits had impeccable timing—and they took advantage of lame technology at Bangladesh Bank.
They started their caper late on a Thursday night, just before the start of the Friday-Saturday weekend and before the bank would reopen for business on Sunday morning. Cunningly, they went online and disabled the bank’s main office printer for receiving messages from the Swift system. Because this printer had gone on the fritz many times previously, this outage raised no alarms, according to a sworn statement a Bangladesh Bank director gave to investigators.
When bank officials showed up on Friday morning, February 5, 2016, to check for any messages from the Swift system, they later noticed the Swift printer was on the fritz yet again. The time was 10:30 a.m., according to the director’s sworn statement—just six minutes after the New York Fed had sent its first message asking about the bogus transfers, which Bangladesh bankers wouldn’t see until after noontime the next day.
The bank director instructed his staff to continue trying to fix the balky printer, but by 12:30 p.m. everyone had left for the day, deciding the repair could wait till the next day, Saturday. At 9 a.m. the next morning, the bank director showed up, fussed with the printer for more than three hours and, finally, at 12:30 p.m., someone was able to override the system and manually print out messages that had been waiting for 24 hours.
It took until Sunday for the Bangladesh officials to realize they had been had, but their counterparts at the New York Fed were unavailable until Monday. By then, the money was gone.
For Bangladesh Bank, a central bank in a country with annual GDP north of $250 billion in one of the fastest-growing, most dynamic regions on the planet, the lapses seem surprisingly backward and amateurish. By contrast, the bank’s hackers were top-notch: most likely they work for the North Korean government, it has been reported.
Their virtual burglary tools carried the same exact DNA, the same microcode, as the tools used in another infamous hack blamed on North Korea: the break-in at Sony Entertainment as it was releasing a purported film comedy about assassinating the leader of North Korea. The hack disabled the Sony computer network, enabled the leaking of embarrassing emails and led to the resignation of the studio head.
Wait a minute, if media reports are correct, there could be yet another target for blame, and perhaps a better one, in the Bangladesh Bank heist: Kim Jong Un! Albeit the officials of Bangladesh Bank would do much better for the health and security of their country’s financial system by looking inward… and blaming themselves.