March 17, 2016 – The cyber thieves who stole US$81 million from Bangladesh Bank hid their tracks by installing malware that manipulated a central bank printer to hide evidence of the heist, according to a person familiar with the investigation.
Earlier, two central bank officials filed a police report that said that a computer and printer the bank uses to order SWIFT wire transfers was manipulated so that authorities could not see records of outgoing wire transfer requests or receipts confirming that they had been received.
Details about the issues with the computer and printer were among the first clues to surface as to how the attack was carried out.
Last week, central bank officials briefed on the investigation said malware was suspected to have been installed on the central bank’s computer systems. Then, the hackers appeared to have stolen Bangladesh Bank’s credentials for the SWIFT messaging system, which banks around the world use for secure financial communication.
The computer linked to the SWIFT system at Bangladesh Bank was supposed to keep records so they could be easily reviewed by bank staff, according to the police report.
The officials saw the first signs that something was off on Feb 5, when they noticed a glitch with a printer that is set up to automatically print all SWIFT wire transfers.
When they realised the previous day’s transactions had not been printed, they attempted to manually print them but were unable to do so, according to the report, which was reviewed yesterday.
One official asked that the printer be repaired before leaving the office that day, which was a Friday and the first day of the weekend in Bangladesh. Other bank employees later decided to wait until the next day to fix it, according to the report.
When the officials tried to access the computer the bank uses to send SWIFT messages, they got messages saying a file NROFF.EXE “is missing or changed.”
They were eventually able to access the SWIFT messaging system on Feb. 8 and print out messages after obtaining clearance to use other means to access the system from senior bank officials.
When they printed the SWIFT messages there were three from the New York Fed seeking information about several suspicious transactions, which flagged them to the heist that this week resulted in the ouster of the central bank’s governor.
A representative from Brussels-based SWIFT, a bank-owned cooperative that runs a secure private messaging system widely used for requesting money transfers, declined to comment.
SWIFT last week issued a statement saying that it was working with Bangladesh’s central bank “to resolve an internal operational issue at the central bank.” It added that “SWIFT’s core messaging services were not impacted by the issue and continued to work as normal.”