Was Bangladesh Central Bank’s Hack Its Own Fault?

Investigators looking into one of the world’s biggest cyberheists believe the bank’s own security shortcomings left it vulnerable to fraudsters.

Mohammad Shah Alam, who leads the Forensic Training Institute of the Bangladesh police’s criminal investigation department, said the Bangladesh central bank did not have a firewall and uses secondhand $10 switches to network its computers, Reuters reported on Thursday (April 21).

According to Alam, these lapses in security left the bank very vulnerable to the cyberheist in which $101 million was stolen from its account with the New York Federal Reserve.

“It could be difficult to hack if there was a firewall,” Alam told Reuters in an interview.

As the investigation into the bank heist continues, emerging evidence has shown that there may have been much more Bangladesh could have done to ensure its central bank was secure.

The fact that hackers could gain access to the SWIFT network — the cooperative system behind the vast majority of worldwide cross-border payments — and make $100 million go up in smoke has raised worldwide alarm bells.

Last month, SWIFT noted that its network wasn’t what was breached, which is accurate because the access was at the Bangladeshi central bank level.

According to FireEye, the Silicon Valley security firm auditing the theft, it seems some sneaky malware was covertly installed then hung out for a few days before going after the SWIFT terminal. By using keystroke software, thieves were able to steal operating codes, which allowed them to “process and authorize SWIFT transactions,” FireEye’s report said.

“The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation,” the report said. FireEye investigators have warned Bangladeshi officials that at least 32 computers at the central bank may have been breached by hackers leading up to the attack on Feb. 5.

Reuters said that many security experts are shocked by the investigators’ findings thus far.

“You are talking about an organization that has access to billions of dollars, and they are not taking even the most basic security precautions,” Jeff Wichman, a consultant with cyber firm Optiv, told the newswire.

To date, the cybercriminals behind the attack are still at large, but police investigators are reportedly placing much of the blame for the heist on the bank itself.