Forensic investigators examining the theft of $81 million from Bangladesh Bank's account with the New York Fed have uncovered evidence of at least three hacking groups, including two from North Korea and Pakistan, inside the central bank's network.
However FireEye Inc., the company hired by the central bank to conduct the forensic investigation, said it was the other unidentified group that pulled off the heist, according to two people briefed on the progress of the bank's internal investigation, reported Bloomberg yesterday.
FireEye identified digital fingerprints of hacking groups from Pakistan and North Korea, the two people said. It has not found enough data to determine whether the third group, the actual culprit, was a criminal network or the agent of another nation.
During an internal discussion on the findings, the investigators said there were seven or eight hacking groups in the world, who were capable of carrying out cyber attacks of this scale, said a BB official.
One of the groups might have performed the hacking, he said.
The US firm was asked to submit its report by April 30, but it has not done so yet, said BB spokesman Subhankar Saha.
He declined to comment on the matter of the hacking groups.
The investigators are delaying submitting the report as they are trying to identify the group behind the February 4 reserve heist, said another BB official.
Asked about the hacking groups, Finance Minister AMA Muhith told The Daily Star yesterday, “It is not solid information. So, I don't want to make comments on the issue.”
Mohammad Shah Alam, additional deputy inspector general of the Criminal Investigation Department, said the police department's own investigation had not found involvement of such groups.
The twists and turns add to the mystery of who pulled off one of the largest cyber-heists in history.
The US Federal Bureau of Investigation suspects an insider with access to the computers at the BB played a role in the caper, according to the people briefed on the investigation.
Police here said they had found negligence within the bank but had not determined whether there was any criminal intent.
Spokesmen for Pakistan's interior and information technology ministries did not respond to requests for comments. Telephone and e-mailed requests for comment to North Korea's delegation to the United Nations went unanswered, said the Bloomberg.
Government officials in the Philippines and Sri Lanka are investigating where the purloined money may have gone. Members of the US Congress have asked for additional information about whether there were lapses in security by institutions duped in the scam.
“These guys started to lay the groundwork for their hack or their robbery a year ago. They set up their false accounts, with false IDs,” said Leonard Schrank, who was Swift's chief executive officer for 15 years through 2007.
“It was really well thought through, and they found a very weak link, which they exploited,” he told Bloomberg.
Hundreds of billions of dollars are moved internationally through the Swift system daily. The Brussels-based group warned users last month that it was aware of several similar attacks. It did not indicate whether it suspected the same hackers or whether more money was taken.
The Bangladesh forensic results, provided to the bank in the last few days, highlight the challenges of identifying skilled perpetrators in cyberspace, where hackers can mimic others and route their actions around the world to confuse trackers.
FireEye was unable to determine how the thieves first entered the BB network, according to one of the people. One possibility is that malware was introduced into the network by someone inside the bank or a technician working with the bank.
Malware can be introduced quickly onto a network by someone inside with something as simple as a thumb drive in an open USB port. The forensic investigation has not found any evidence of this, the person said.
The potential role of any insider is still being investigated. The FBI has been assisting the inquiry at the request of the BB. Jillian Stickels, a spokeswoman for the FBI in Washington, declined to comment on the investigation.
The Bangladesh Bank has not yet been able to determine whether an employee was involved, according to a panel it appointed to review the incident. An official from Bangladesh police said it has not received information from the FBI about a possible insider and that no arrest has been made.
Bangladesh officials have sought to cast Swift as bearing some responsibility, releasing details about Swift technicians who made upgrades to the bank's system late last year.
The CID is suspecting whether hackers used an IP address in Egypt to steal the money.
“Soon after the CID launched its investigation, it found that a notification from the SWIFT platform with the BB was sent to an IP address based in Cairo,” said Alam.
“Through INTERPOL [the International Criminal Police Organisation], we have sought information about the IP address. Bangladesh's ambassador in the country is pursuing the issue so we get cooperation from the Cairo administration.”
The senior official said the CID has yet to receive any reply from Cairo side.
Another CID official said hackers sometimes use IP address located in other countries to camouflage their real identities.