3.1.

1 Hacking Techniques

The Bangladesh Bank heist involved several sophisticated hacking methods, primarily
leveraging malware, phishing, and exploitation of vulnerabilities within the SWIFT system.

Malware
The hackers initially gained access to the Bangladesh Bank’s systems by
planting custom-designed malware. This malware was specifically designed to
interact with the SWIFT Alliance Access software, which facilitates communication
between financial institutions and the SWIFT network. The malware was hidden in
a file named "evtdiag.exe" which monitored and altered SWIFT messages. It also
manipulated the database to mark validity checks as successful, allowing
unauthorized transactions to proceed undetected (Kovacs, 2016).
The malware that compromised a computer used for SWIFT transactions
was engineered to obscure evidence of fraudulent payments from the bank's local
database collections, as detailed by technology consultancy BAE Systems Applied
Intelligence (Kitten & Schwartz, 2016). One of the malware's tactics involved a
module that altered a 2-byte conditional jump to a no-op instruction. This
modification made the host application erroneously believe that a failed check had
succeeded, thus allowing the malware to execute database transactions,
according to BAE Systems (Peters, 2016).

Phishing
The attackers infiltrated Bangladesh Bank’s network by sending spear-
phishing emails that appeared as legitimate communications, deceiving
employees into divulging login credentials or installing malware. This phishing
campaign allowed the attackers to gain critical access to the bank's internal
network. Once inside, they deployed custom malware and navigated through the
bank's systems to reach the SWIFT environment. This access enabled them to
send fraudulent messages via the SWIFT system, resulting in the theft of funds
(Saha, 2023) (PYMTS, 2018).

Exploitation of Vulnerabilities
The Bangladesh Bank heist was initially attributed to the absence of a
firewall and the use of second-hand, $10 network switches (Smith, 2016) (Quadir,
2016). An investigator highlighted that inadequate security measures, such as not
employing more secure "managed" switches, contributed to the breach (Quadir,
2016). These inadequate security measures left the bank vulnerable to hackers,
who exploited these weaknesses to access the SWIFT global payment network.
Researchers at BAE Systems found that the attackers used highly customized
malware designed to exploit the bank's poorly secured local environment (Peters,
2016). By obtaining privileged credentials, the attackers were able to move laterally
 within the network, gain access to SWIFT-connected systems, and execute
fraudulent transactions while concealing their activities.

3.1.2 SWIFT Network Exploitation

Once inside the Bangladesh Bank's network, the attackers manipulated the SWIFT
network to initiate fraudulent transactions. Here’s how they did it:

Credential Theft and Network Penetration

The attackers used stolen credentials to access the SWIFT Alliance Access
software. This software is responsible for sending authenticated financial
messages across the SWIFT network. By exploiting these credentials, attackers
could send fraudulent payment instructions without raising immediate suspicion
(Strait Times, 2016) (Mimoso, 2016).

Manipulating SWIFT Messages

The custom malware installed by the attackers intercepted and manipulated
outgoing SWIFT messages. This malware could alter transaction details and
delete specific transactions from records, effectively covering the attackers’ tracks.
The confirmation messages generated for these transactions were also tampered
with, preventing the bank staff from realizing the discrepancies in real-time
(Kovacs, 2016) (Smith, 2016) (Peters, 2016).

Diversion of Funds
The attackers used multiple transactions to divert the stolen funds to various
countries in various accounts, making it difficult to trace and recover the funds. The
hackers used Bangladesh Bank employees' SWIFT credentials to send 35
fraudulent transfer requests to the Federal Reserve Bank of New York. The
requests aimed to transfer millions of Bangladesh Bank's funds to various bank
accounts across Asia, including in the Philippines and Sri Lanka (Zetter, 2016).
The stolen funds were funneled through a major Philippine bank (RCBC),
converted into pesos by remittance companies, and disappeared in Manila’s
casinos. A $20 million transfer in Sri Lanka was stopped because of a typo (spelling
"foundation" as "fandation) (Saha, 2023).

Exploiting Time Zones and Holidays

The hackers timed their attack to coincide with the weekend and holidays,
in Bangladesh, the United States, and the Philippines, knowing that the reduced
staffing levels would slow down the detection and response to the fraudulent
transactions and the differences in time zones (Saha, 2023).
 The hackers exploited weekends and holidays to their advantage. In
Bangladesh, February 5th was a Friday, a weekly holiday, meaning the messages
from the Fed were not seen promptly. In the United States, the attack took place
during the weekend, delaying the detection further. Moreover, the Chinese New
Year holiday in the Philippines also slowed down the response, as many financial
institutions, including the RCBC where the funds were transferred, were closed
(Carvajal, et al., 2020) (Arthur & Mahajan, 2021).

LINKS:
Custom Malware Used in $81 Million Bangladesh Bank Heist - SecurityWeek
Bangladesh Bank Heist: Lessons Learned - BankInfoSecurity
Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform (darkreading.com)
(25) The Great Heist: Unraveling the Bangladesh Bank Reserve Theft | LinkedIn
The Cyborg Shopper: Is It the Future or Just a Blip? (pymnts.com)
Bangladesh Bank cyber-heist hackers used custom malware to steal $81 million | CSO Online
Bangladesh Bank exposed to hackers by cheap switches, no firewall: police | Reuters
Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform (darkreading.com)
Bangladesh Bank hackers compromised Swift financial software, warning to be issued | The Straits
Times
Bangladesh Bank Hackers Accessed SWIFT System to Steal, Cover Tracks | Threatpost
That Insane, $81M Bangladesh Bank Heist? Here's What We Know | WIRED
The Bangladesh Bank Heist (jsbf-report.com)
What went before: The Bangladesh Bank heist - PCIJ.org