(Bloomberg) -- Investigators examining the theft of $81 million from Bangladesh’s central bank have uncovered evidence of three hacking groups -- including two nation states -- inside the bank’s network but say it was the third, unidentified group that pulled off the heist, according to two people briefed on the progress of the bank’s internal investigation.
FireEye Inc., the company hired by the bank to conduct the forensics investigation, identified digital fingerprints of hacking groups from Pakistan and North Korea, the two people said. It hasn’t found enough data to determine whether the third group, the actual culprit, was a criminal network or the agent of another nation.
The twists and turns add to the mystery of who pulled off one of the largest cyberheists in history. The hackers, pairing theft with havoc within the global financial system, used the Swift inter-bank messaging system to move cash into fake accounts in the Philippines but were discovered before they could complete an attempted transfer totaling $951 million.
The U.S. Federal Bureau of Investigation suspects an insider with access to the computers at the Bangladesh central bank played a role in the caper, according to the people briefed on the investigation. Police in Bangladesh said they have found negligence within the bank but haven’t determined whether there was any criminal intent.
Spokesmen for Pakistan’s interior and information technology ministries didn’t respond to requests for comments. Telephone and e-mailed requests for comment to North Korea’s delegation to the United Nations went unanswered.
A year in the making, the hacking scheme ran through the Swift messaging system and the central bank’s accounts at the Federal Reserve Bank of New York, exposing crucial weaknesses in the global financial system. Government officials in the Philippines and Sri Lanka are investigating where the purloined money may have gone. Members of the U.S. Congress have asked for additional information about whether there were lapses in security by institutions duped in the scam.
“These guys started to lay the groundwork for their hack or their robbery a year ago. They set up their false accounts, with false IDs,” said Leonard Schrank, who was Swift’s chief executive officer for 15 years through 2007. “It was really well thought through, and they found a very weak link, which they exploited.”
Hundreds of billions of dollars are moved internationally through the Swift system daily. The group warned users last month that it was aware of several similar attacks. It didn’t indicate whether it suspected the same hackers or whether more money was taken.
The Bangladesh forensic results, provided to the bank in the last few days, highlight the challenges of identifying skilled perpetrators in cyberspace, where hackers can mimic others and route their actions around the world to confuse trackers.
The people briefed on the investigation agreed to provide details for this article only if not identified, citing the small circle of people who have been briefed so far.
On Tuesday, the new head of Bangladesh’s central bank met in Basel, Switzerland, to discuss the investigation with officials from the New York Fed and Swift. In a brief joint statement, the parties said they were committed to recovering the proceeds of the fraud, bringing the perpetrators to justice and working together “to normalize operations.”
Representatives for the New York Fed, Swift and Bangladesh central bank declined to provide additional details about the progress of the investigation.
FireEye was unable to determine how the thieves first entered the Bangladesh bank’s network, according to one of the people. One possibility is that malware was introduced into the network by someone inside the bank or a technician working with the bank. Malware can be introduced quickly onto a network by someone inside with something as simple as a thumb drive in an open USB port. The forensics investigation hasn’t found any evidence of this, the person said.
The potential role of any insider is still being investigated. The FBI has been assisting the inquiry at the request of the Bangladesh central bank. Jillian Stickels, a spokeswoman for the FBI in Washington, declined to comment on the investigation. The Wall Street Journal reported earlier Tuesday that the FBI suspected the involvement of an insider.
The Bangladesh Bank hasn’t yet been able to determine whether an employee was involved, according to a panel it appointed to review the incident. An official from Bangladesh’s police said it hasn’t received information from the FBI about a possible insider and that no arrests had been made.
Bangladesh officials have sought to cast Swift as bearing some responsibility, this week releasing details about Swift technicians who made upgrades to the bank’s system late last year. Reuters previously reported on the officials’ findings.
The way that technicians from Swift set up the network at Bangladesh Bank “was not according to the agreed plan," Shah Alam, a senior official in Bangladesh’s Criminal Investigation Department, told Bloomberg on Tuesday.
“We have also found that some officials at Bangladesh Bank who were in charge of maintaining the network fell short of their responsibilities,” he said, adding that police were still trying to determine if the officials’ actions went beyond pure negligence.
Such allegations are false, inaccurate and misleading, Swift said in a statement on its website.
The Bangladesh central bank has been roiled since the hack was disclosed in March, and several officials have stepped down. Atiur Rahman resigned as Bangladesh’s central bank governor, saying he took moral responsibility after failing to immediately inform the Finance Ministry of the theft. Two of his deputies were also removed.
Attribution of a breach is notoriously difficult, even for the U.S. government. In this case, the task was hampered as investigators sifted through the handiwork of multiple hacking groups, attributing the heist at various stages of the investigation first to one group and then the next, according to one of the people briefed.
Hackers used the Swift system to make illicit payments to accounts in several countries, creating sophisticated malware designed to operate on the bank’s Swift messaging system. As the hackers navigated through the bank’s network unseen for weeks, they deployed a smorgasbord of tools that included two pieces of malware dubbed Nestegg and Dyepack, according to one of the people briefed on the report.
The ease with which the hackers manipulated the interbank system and the significant resources used to create and customize the malware raise the possibility of more attacks against international institutions, people involved in the bank probe said.
North Korea’s hacking prowess has been cited by government officials repeatedly in recent years. President Obama accused North Korea of pilfering and publishing a trove of corporate information from Sony more than a year ago -- after the production of “The Interview,” a movie that parodies North Korea -- and vowed to take unspecified action against the country. North Korea has also been blamed for a series of financial hacks in South Korea by officials there.
After the White House publicly attributed the Sony breach to North Korea, some security firms publicly cast doubt on the claim. North Korea has denied any involvement.Investigators have spent weeks following the money trail from the Bangladesh central bank’s account, but the ultimate destination of tens of millions of dollars remains unknown.
After scouting the computer system, the hackers impersonated bank officials, sending instructions through the Swift system to move nearly $1 billion to several bank accounts in several countries.
Most of the transfers were stopped or reversed because of simple errors made by the hackers, including a spelling error. Clues to the missing millions have led from computers in Bangladesh to a colorful cast of characters including a bank manager and casino operators in the Philippines and the head of a non-profit foundation in Sri Lanka.
Swift, which stands for Society for Worldwide Interbank Financial Telecommunication, is a cooperative that is a vital component in global interbank transfers. It has said that its systems weren’t compromised but that messages were sent through its system by attackers who appeared to have “good knowledge of the bank systems and their security procedures.”
--With assistance from John Detrixhe Norman P. Aquino Matthew Boesler and Alan Katz To contact the reporters on this story: Arun Devnath in Dhaka at email@example.com, Michael Riley in Washington at firstname.lastname@example.org. To contact the editors responsible for this story: Winnie O'Kelley at email@example.com, Sara Forden at firstname.lastname@example.org, Jeffrey D Grocott
©2016 Bloomberg L.P.