Cyber heist

Why Bangladesh was chosen for the reserve heist

A poster of ‘Billion Dollar Heist’, a documentary depicting Bangladesh Bank reserve heist
A poster of ‘Billion Dollar Heist’, a documentary depicting Bangladesh Bank reserve heist

It was the weekend in Dhaka, Friday, 5 February 2016. Bangladesh Bank was closed, but a few persons came over to office for a brief time. One of them was Zubair bin Huda. He came and found the printer wasn’t working. He dismissed it as some technical glitch and went off. The next day, Saturday, when the others came, they turned on the printer in an alternative way and that’s when they discovered letters requesting for the transfer of almost 1 billion dollars (100 crore dollars). Panic broke out.

That is how the ‘Billion Dollar Heist’ begins. ‘Billion Dollar Heist’ is a documentary film based in the theft of Bangladesh Bank’s reserve funds. And the film has revived discussions on Bangladesh and its central bank seven years after the incident. Renowned newspapers like the New York Times, The Financial Times and The Guardian have all published reviews of the film. So while Bangladesh has tried to keep the matter under covers purportedly in the interests of the case, the discussions on the matter continue.

Bangladesh Bank’s reserves were stolen on the night of 4 February 2016. A total of USD 81 million (USD 8 crore 10 lakh) was stolen at the time.

This is, after all, the world’s biggest digital theft. The manner in which the funds were filched is as exciting and intriguing as any thriller.

Produced under the banner of Universal Pictures and GFC Films, the documentary has been directed by Daniel Gordon. It was released on 14 August. The documentary gives the vibes of a thriller.

Bangladesh Bank’s reserves were stolen on the night of 4 February 2016. A total of USD 81 million (USD 8 crore 10 lakh) was stolen at the time. This was money earned by the citizens of Bangladesh and Bangladesh Bank had the responsibility of managing these funds.

Director Daniel Gordon has brought in a host of world renowned experts in the documentary. British journalist Misha Glenny narrates the incident throughout the movie. He is an expert on cyber and organised crime and has books on the topic.

Sharing their views on various matters in the documentary are security expert Eric Chain, New York-based journalist Joshua Hammer, Reuters journalist Krishna Das, and New York Times journalist Nicole Perlroth who works on cyber security and digital espionage. Also giving their opinions are Rafal Rohozinski of Poland, a widely reputed international expert of digital threats. Then there is cyber expert Finnish national Mikko Hypponen, cyber consultant WJ Hilbert and former FBI special agent Keith Mularski.

Other than the actual heist, the documentary delves into who were behind the scam, why Bangladesh Bank was chosen for the theft, how the robbery was so easily carried out, the role of Bangladesh and so on. The experts also go into the history of cyber crime, future threats and lessons learned for the incident. The film is replete in footage and all sorts of animation to describe the incident.

At the outset, Misha Glenny says when he was just a kid he would hear about the infamous British robbery, ‘The Great Train Robbery’. In that incident, 2.5 million pounds (equal to c million dollars or 40 lakh dollars) had been stolen. That was 30 years ago. And now he was talking about a heist aiming at 1 billion dollars. That in itself indicates how danger cybercrime has become.

Then there is a brief narration on the history of cyber attacks. Misha Glenny goes on to say that the four biggest threats to the world and humankind now are pandemics, weapons of mass destruction, climate change and cyber attacks. At the start of the nineties, hackers had been in their teens and had fun creating malicious software. The virus would be spread through floppy disks. Then came the internet and such malware spread in a matter of seconds.

Those who had taken this up as fun, gradually realised the financial potential involved. Prior to 2000, the task of the virus was basically to destroy websites. After the .com era began post 2000, hackers began earning ransom by holding computer networks and sites hostage. Organised gangs would rile the crime world. All sorts of criminals would join. But after the nineties, the group that entered the scene were whizzes in math and physics, computer scientists and  became the new gangsters online. They began to rake in money by spreading viruses and malware. That changed the entire scenario.

Online banking had become popular by the, people were using credit cards more and more and funds could be transferred automatically. The hackers realised rather than chasing after individuals, targettng organisations would be much more profitable.

Why Bangladesh?

No matter how much we tout Bangladesh as Switzerland, Paris or Singapore, it is still known around the world as one of the poorest countries. The documentary introduces Bangladesh as the 170th poorest country in the world. For such a poor country, 1 billion dollars is a lot of money. Misha Glenny and the others gave their views as to why Bangladesh had been picked out for this robbery.

They said, New York’s Federal Reserve Bank (NY Fed) is the most difficult financial institution to hack. They have the best security system. Hackers are well aware they cannot access the Fed. They noted, though, that the Fed had transactions with central banks of other countries around the world and so had communications with all of these central banks. And so the hackers focused on these links. Fed depends completely on SWIFT (Society for Worldwide Interbank Financial Telecommunication) for fund transfer. All banks maintain links with each other by mean of SWIFT. So that was the entry point. They began searching for the weak point. Just one weak point was enough to enter the network. They needed to chose a site far from the New York Fed and whose security system was flimsy. Bangladesh’s name popped up. Bangladesh Bank has large funds in its reserves, but a deplorable security system. It was perfect for a cyber attack.

Hacking symbolic picture

Misha Glenny said, in the real world banks would be directly looted. Now it’s done in the online world. It takes 10 trucks to carry away 10 million dollars in cash, but it is invisible in the case of online heist. The Bangladesh Bank reserve fund heist wasn’t quite like the 1986 Hollywood movie ‘War Games’ plot, where Matthew Broderick was having fun, but then got caught up in a full blown nuclear war. It was more like George Clooney and Brad Pitt’s ‘Ocean’s Eleven’ where there was an organised gang of criminals skilled in their various areas of expertise.

Misha Glenny’s astonishment

Misha Glenny

The hackers so skillfully  robbed the bank, Bangladesh didn’t have a clue. In the documentary, Misha Glenny narrates the incident and points out that Bangladesh had no idea what had happened and what was to be done. For example, they first phones the New York Fed and received no response. It was Saturday, the weekend in New York.

Misha Glenny said that this revealed just how disorganised both Bangladesh and the Fed were. The Fed had no 24/7 hotline. But even though it was a Saturday, Bangladesh managed to get through to SWIFT. They were advised to shut down the entire system until the actual incident came to light. Rather than taking the decision himself, the Bangladesh Bank official Badrul Huq Khan phone the bank’s deputy governor. He, in turn, called the governor of Bangladesh Bank Atiur Rahman. Misha Glenny asks, “Do you know what happened next? The governor said, ‘This could just be a technical glitch. We won’t shut down the system.’” The shocked Misha Glenny covered his face with his two hands.

Human error and a cheap switch

The documentary highlighted the role of ‘social engineers’. After all, it takes people to enter the computer network and so human psychology needs to be understood. They study the social media profiles of various individuals – what sort of relationships they have, what they read, what movies do they watch and so on. Then they analyse all this, that is, what was done in the case of Bangladesh Bank.

In January 2015 emails with malware attached were sent to 36 officials of Bangladesh Bank. Three officials responded. They opened the attached files and he hackers entered the network. So the hacking wasn’t through any technical glitch, but through human error. The lesson learnt here is not to click any unknown attachment. It was because three persons of Bangladesh Bank clicked on the attached file that the hackers gained control of the computer network. In other words, they managed to break through the first step of security. The next task was for extremely skilled and advanced hackers.

The documentary pointed to another weakness in Bangladesh. For example, all computers of Bangladesh Bank are interconnected. This connection is made by a sort of switch. These switches can be used to create separate networks too. That means all computers won’t be connected and a separate switch will be needed to create a new network. Bangladesh Bank had a fairly good security system, but they used a cheap switch, costing only 10 dollars. This switch couldn’t be used to divide up the network. The hacker were on the lookout for such a system where costs were cut. In a graphical presentation it was then shown how the hackers went from computer to computer until they reached the computer that was connected to SWIFT. The graphics of the search from computer to computer was done in the popular fame Super Mario style.

Why was the Philippines selected?

It was planned that the Philippines would be used to extract the money. In May 2015 the hackers appointed a Chinese person. He opened four accounts with 500 dollars in RCBC Bank in Manila. They had to first ensure that the bank officials of the Philippines bank were corrupt. After the bank accounts were opened, they remained silent for nine months. For one year they roamed around the Bangladesh Bank computers in an almost unbelievable manner. Had just one person of Bangladesh Bank realised that, all their plans would have crashed.

The Philippines was also selected because of its casino industry. That sector was not under surveillance and no one sought the source of funds. So it was very easy to withdraw money from here.

The only shameful incident

Till now only one single person has been punished in this incident. That is Maia Santos Deguito, the manager of RCBC bank’s Jupiter branch. Misha Glenny comments that that biggest offence of this heist is that only one person has been punished, that too, a woman. Maia Deguito was just a mid-level officer. A whole gang of people carried out the heist, but just one woman was punished. She has been sentenced to 56 years in jail and fine 109 million dollars, that is more than the money that was stolen. Maia is simply a scapegoat through whom that others have been let off the hook.  No one in Bangladesh has been punished so far.

When Bangladesh found out

After the weekend when the printer was turned on, Bangladesh realised that money had been transferred. Thy realised something had taken place. Misha Glenny said, the location was Bangladesh Bank. Yet the governor of the bank failed to inform the country’s prime minister of the matter and instead reached out to an acquaintance. That was Rakesh Astana. He was the chief executive officer of World Informatics Cyber Security.

Rakesh Asana

Nest Rakesh Asana spoke in the documentary. He said, the Bangladesh Bank governor and the other at the outset had no idea of what had happened. They thought they money had been mistakenly transferred and would come back. He later came to Bangladesh and found out what had actually taken place. He laughed and said, Bangladesh Bank spent hours on watching 8 hours of CCTB footage but didn’t see anyone entering the SWIFT room. They caught a glimpse of someone’s shadow, but that was actually the cleaner who had gone to clean the room. They spent a week on just scrutinizing the footage.

Who is this hacker group?

Hacking leaves behind certain clues. Experts found similarity between Bangladesh Bank’s hacking incident and that of Sony Pictures network back in 2004. The cyber experts later investigated the matter and identified the hackers as the Lazarus Group. This is a state hackers group. Though it was not mentioned anywhere here, FBI investigations mention they are from North Korea. A year later the same hacker group carried out a simultaneous attack on 150 countries.

Lessons learned

The last part of the documentary dealt with fears of even larger cyber attack worldwide. It takes just a small malware to create huge havoc. Everyone is interconnected, not just banks, but service sectors, transport, infrastructure, everything. The lesson learned from the Bangladesh Bank heist is that in an interconnected network, it takes just one bad player to create disaster. And the biggest lesson learned is, do not click on any unknown attachment.