"I remain concerned that there are critical security gaps in the international payment system," Ms. Maloney said in a statement.
She also released correspondence between her office and the Federal Reserve Bank of New York, in which the bank's general counsel, Thomas C. Baxter Jr., assured her that "there is no evidence that any Federal Reserve systems were compromised."
Investigators briefed on the investigation at the Bangladesh central bank say that they had uncovered the presence of three groups of intruders inside the bank's systems: two nations — Pakistan and North Korea — and a third, unidentified group of digital criminals thought to have siphoned the funds from the bank to accounts in the Philippines.
Also on Friday, two forensics investigators at BAE Systems outlined evidence that suggested similarities between the Bangladesh heist and a 2014 attack against Sony Pictures that law enforcement and intelligence agencies in the United States have traced to North Korea. That year, Sony released the farcical movie "The Interview," which poked fun at North Korea.
The investigators pointed to specialized, identical tools — including identical encryption keys, file names and a highly unusual data deletion technique — that were used in the attack on Sony Pictures, the Bangladesh central bank and the Vietnamese bank.
However, people briefed on the actual investigation at the Bangladesh bank, who would speak only on the condition that they not be named, said that while the same tools were present inside Bangladesh's systems, suggesting any link between that heist and the North Korean hackers would be premature.
Banks are frequent targets not just for profit-seeking digital criminals, but also nation states hoping to track spending by their perceived enemies or to gain insights into deal-making activity.
In 2012, investigators at the Russian security firm Kaspersky Lab revealed a campaign by nations, presumably the United States or Israel, aimed at banks in Lebanon, including the Bank of Beirut, Blom Bank, Byblos Bank and Credit Libanais, along with Citibank and PayPal.
In that case, the organizations involved in the Lebanese bank intrusions never stole any funds. Rather, they used stolen credentials to track customers' assets and spending.
By their nature, hackers are difficult to trace, and theories advanced immediately after a breach can turn out to be wrong.
In summer 2014, when hackers stole account information from tens of millions of customers at JPMorgan Chase, experts initially pointed to Russia, raising concerns about national security.
In the end, federal prosecutors said that attack might have been partly the work of Israeli nationals and individuals who knew each other from Florida State University, and that their attack on the bank may have been aimed at advancing a pump-and-dump stock scheme. No money was stolen from JPMorgan in that breach.
Large banks in the United States and Europe, which are part owners of Swift, have been monitoring the developments and are studying whether they need to adjust any of their defenses to guard against similar intrusions.
"We are pretty fast learners,'' said Doug Johnson, senior vice president for payments and security at the American Bankers Association, a trade group. "We proactively share information about how to mitigate these threats."
In the heist at Bangladesh Bank, the thieves used the stolen credentials to authorize the transfer of $ 951 million from the central bank's account at the New York Fed.
The Fed approved five of the payments to accounts in Sri Lanka and the Philippines. As far as the bank employees in the United States could tell, the payment requests had been authenticated by Swift.
One of those five requests was ultimately blocked by a bank in Sri Lanka, which noticed that the name of the supposed nonprofit group that was to receive the funds was misspelled. Instead of "Foundation," it was spelled "Fundation," according to a person briefed on the matter, who spoke on the condition of anonymity because of a continuing criminal investigation.
The New York officials relied entirely on Swift to authenticate the transfers, according to a letter from the New York Fed that Ms. Maloney's office released on Friday. It does not independently vet other users on the Swift network.
The New York Fed withheld an additional 30 requested transfers from Bangladesh because one address that was supposed to receive a payment contained the same name as a ship known for smuggling activity, the person briefed on the matter said.
It turned out the address and the smuggling ship were unrelated, but that was enough to raise the New York Fed's concerns. When they couldn't reconfirm with officials in Bangladesh that transfers were legitimate, the New York bank denied them.
Continue reading the main story
No comments:
Post a Comment