Cyber security expert FireEye has been roped into the investigation of the cyber theft of $81 million from Bangladesh’s official account at the Federal Reserve Bank of New York. A spokesperson for FireEye confirmed that its forensics division Mandiant is helping to investigate one of the largest cyber-heists in history.

Hackers stole $81 million from Bangladesh’s central bank through a series of SWIFT transfers from its account at the Federal Reserve Bank of New York. Attempts to steal an additional $850-$870 million were foiled after suspicions were raised due to the repeated nature of the transactions. Stolen money is believed to have been transferred to bank accounts in the Philippines. Anti-money laundering authorities in the Philippines are also co-operating with Bangladesh and has frozen the bank accounts involved in the theft.

The Federal Reserve Bank of New York, in a statement released on March 9, said that the transfer of the money had been fully authenticated by SWIFT, an international financial messaging system, suggesting a security breach in Bangladesh. The Federal Reserve Bank of New York’s statement made it clear that its systems had not been compromised. After reports of the heist surfaced, Bangladesh admitted their system was hacked and that the investigation is under progress.

The statement issued by The Federal Reserve Bank of New York reads as follows.

To date, there is no evidence of any attempt to penetrate Federal Reserve systems in connection with the payments in question, and there is no evidence that any Fed systems were compromised. The payment instructions in question were fully authenticated by the SWIFT messaging system in accordance with standard authentication protocols. The Fed has been working with the central bank since the incident occurred, and will continue to provide assistance as appropriate.

Comments Nicolai Solling, Director of Technology Services at Help AG, “This has all the characteristics of an advanced persistent threat type of attack. Our partner Symantec defines this as an attack that uses multiple phases to break into a network, avoid detection, and harvest returns over the long term.”

The story began when the Federal Reserve Bank of New York received dozens of requests from Bangladesh Bank’s account, using the correct protocol to withdraw money, sometime between February 4 and 5, 2016. The recipients of these transactions were private entities in the Philippines and a Sri Lankan NGO. The first four requests went through the system successfully before the fifth one was declined by the Deutsch Bank, a routing bank. This was caused by a mistake in the spelling of the Sri Lankan NGO’s name.

Following this, Deutsch Bank sought further clarification from the Bangladesh Bank, raising the alarm for the first time. In the meantime, hackers were able to get away with $81 million that was transferred to bank accounts in the Philippines. Hackers are suspected to have installed malware that targeted Bangladesh Bank officials, enabling them to acquire inside knowledge of how the bank conducts its transactions with the Federal Reserve Bank of New York.

The evolution of threats is primarily driven by two goals – either commercially motivated or intellectual property that provides competitive advantage. We can draw parallel between the increase and sophistication in attacks against the banking industry and the governments, explains Stuart Davis, Director, Mandiant Services, Middle East, Turkey and Africa.

Threat actors that target financial returns are groups of people who tend to come together as quasi organised groups. They have relatively good structure and directly target individuals and financial institutions. This is where we see high levels of spear phishing fraud cases, usually directed at the CFO, says Davis. These threat actors have heightened levels of sophistication, target a wide audience, and have associated noise levels.

There are three types of global threat actors and those that look for financial returns usually sit between entry level and state sponsored threat actors. The evolution of threats is also primarily driven by two goals – either commercially motivated or intellectual property that provides competitive advantage. “And we can draw parallel between the increase and sophistication in attacks against the banking industry and the governments,” says Stuart Davis, Director, Mandiant Services, Middle East, Turkey and Africa. Mandiant Services is the forensic and remedial services division of security vendor FireEye.

Threat actors that target financial returns are groups of people who tend to come together as quasi organised groups. They have relatively good structure and directly target individuals and financial institutions. “This is where we see high levels of spear phishing fraud cases, usually directed at the CFO,” continues Davis. These threat actors have heightened levels of sophistication, target a wide audience, and have associated noise levels.

The highest level of global threat actors are state funded, who use advanced persistent threat activity, and have high levels of coordination and sophistication. They have a military type structure with very specific goals and do not have financial motivations. They do not run out of funds since they are state funded. The military type structure brings persistence and ability to develop sophisticated tools. These threat actors have a lot of time, with the ability to re-task, continuously perform reconnaissance against the adversary, continuously find and eventually get a way into those environments.

While advanced persistent threats are advanced in nature, they involve a lot of reconnaissance and it does not necessarily mean that the initial execution or reconnaissance is quick. Threat actors may spend several months probing and trying to understand how to get in. “However when you want to look at the speed of execution, we have seen cases where in seven minutes the execution of the attacks started, files were retrieved, log files removed, and the adversary was out. That is how fast they can be,” stresses Davis.

“In general we have seen threat actors, starting to focus directly on attacking financial institutions instead of just targeting customers of those institutions,” explains Jens Monrad, Global Intelligence Liaison EMEA, FireEye. “The reason is in cases where the attack is successful, the pay-out is instantly much higher for the cyber criminals than if they are targeting individuals.

The methods used are a combination of credential stealing malware and direct spear phishing emails targeted at employees with privileged access and authorisation within the organisation network. The main objective for the attacker is to obtain a foothold inside the network and if they are successful deploy more malicious code stealing sensitive information masked as employees.

“There are still too many organisations who do not have adequate control with the privileges they hand out to their users, a fact that attackers continue to exploit as they do not really have to worry about researching and finding victims with specific access,” continues Monrad.

As an example, recent FireEye reports based on aggregated statistics gathered from assisting breached enterprises point, out it takes an average of 146 days for them to realise they have been compromised. More importantly, in the case of more than half of these incidents, the organisations in question do not have the skills to detect threats themselves or even block an incident.

According to security specialist system integrator, Help AG, in the era of advanced persistent threats, users and organisations need to stop thinking of protection as a product, but rather start considering it as a process. These needs to be centred around three pivotal areas – awareness of the user, minimising attack surface, detecting the attack.

The highest level of global threat actors are state funded, who use advanced persistent threat activity, and have high levels of coordination and sophistication. They have a military type structure with very specific goals and do not have financial motivations. They do not run out of funds since they are state funded. The military type structure brings persistence and ability to develop sophisticated tools. These threat actors have a lot of time, with the ability to re-task, continuously perform reconnaissance against the adversary, continuously find and eventually get a way into those environments.

While advanced persistent threats are advanced in nature, they involve a lot of reconnaissance and it does not necessarily mean that the initial execution or reconnaissance is quick. Threat actors may spend several months probing and trying to understand how to get in. However when you want to look at the speed of execution, we have seen cases where in seven minutes the execution of the attacks started, files were retrieved, log files removed, and the adversary was out. That is how fast they can be, stresses Davis