DHAKA—Hackers installed malicious software into the Bangladesh Bank (BB) system in January, which helped them gain knowledge of the central bank’s working methods before stealing some $101 million.
The forensic investigation by the BB, launched soon after the Feb. 4 digital heist, detected the presence of the malware, said finance ministry and BB officials.
The malware is so powerful that it could gather information about the BB operations on international payment and fund transfers.
The malware is even believed to have destroyed evidence on the Bangladesh side of the hacking, a BB official said, requesting anonymity citing the ongoing investigation.
It is not yet clear how the malware was installed into the BB system or where the hackers were when they sent the transfer orders to the New York Federal Reserve Bank, from where the money was stolen.
Malware is an umbrella term used to refer to a variety of forms of hostile or invasive software, including computer viruses, worms, trojan horses, ransomware, spyware, adware, scareware and other malicious programs.
The malware installed in the BB system copied the information on how payment order was made in recent months and sent the information to the hackers.
Using the information, the hackers chose an opportune moment and stole credentials for payment transfers and then ordered transfers out of the New York Fed account held by the BB.
The hackers chose the weekend in four countries to break into the BB system. The weekly two-day bank holiday in Bangladesh starts at Thursday midnight and a day later in the US, the Philippines and Sri Lanka. Knowing that there would be no mutual correspondence immediately, the hackers sent the fake payment orders around the midnight on Feb. 4, a Thursday in Bangladesh.
About $1 billion of the BB reserves is kept in a current account with the Fed. The money is meant to make government payments against debts and consultancy fees for development projects.
The hackers attempted to steal all of it, but failed although they made it seem like real transfer orders using names of genuine projects, donors and authorities.
Of the $101 million stolen, $81 million was wired to two banks in the Philippines. The rest $20 million was sent to a bank in Sri Lanka in favor of an nongovernment organization (NGO), whose account was opened just a month ago, according to the BB.
The sum that ended up in Sri Lanka has been retrieved, as the money was not disbursed because the NGO’s name was wrongly spelled in the transfer order, BB officials said.
According to the Philippine Daily Inquirer, it appeared that a $25-million transaction was ordered by the BB on behalf of the government’s Kanchpur, Meghna and Gumti second bridges construction projects.
A central bank official yesterday confirmed that the names of the projects were indeed used. The Daily Star/Asia News Network