Published Date: 2016-03-11
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident at Bangladesh Bank happened between February 4 and February 5, 2016, as reported in [41830, 43021, 43022]. 2. The incident at Sony, which may have been a dry run for the Bangladesh Bank heist, occurred in 2016, as mentioned in [115379]. |
| System | 1. SWIFT's Alliance Access server software [43021, 43022] 2. SWIFT client software known as Alliance Access [43021, 43022] 3. SWIFT messaging platform [43021, 43022] 4. SWIFT network [43021, 43022] 5. SWIFT's core messaging system [43934] 6. SWIFT's core communication system [44033] 7. SWIFT's local interface [42744, 43022] 8. SWIFT's software program installed on bank servers [43021] 9. SWIFT's software that banks use to access its network [42744, 43021, 43022] 10. SWIFT's systems [41830] |
| Responsible Organization | 1. Malicious insiders or external attackers who managed to submit SWIFT messages from financial institutions' back offices, PCs, or workstations connected to their local interface to the SWIFT network [42744, 43022]. 2. Attackers who manipulated the Alliance Access server software used by banks to interface with SWIFT's messaging platform to cover up fraudulent transfers [43021]. 3. Insiders or cyber attackers who penetrated targeted banks' systems, obtained user credentials, and submitted fraudulent SWIFT messages corresponding with money transfers [43934]. |
| Impacted Organization | 1. The New York Fed [41830] 2. Bangladesh Bank [42744, 43021, 43022, 43758, 43934] 3. SWIFT (Society for Worldwide Interbank Financial Telecommunication) [42744, 43021, 43022, 43934, 57977] |
| Software Causes | 1. Malicious software code, specifically malware, allowed hackers to learn how to withdraw money and was suspected to have been installed several weeks before the incident [Article 41830]. 2. Hackers manipulated SWIFT's Alliance Access server software, which banks use to interface with SWIFT's messaging platform, to cover their tracks [Article 42744]. 3. Malware targeting SWIFT client software was confirmed, and hackers manipulated the Alliance Access server software to cover up fraudulent transfers [Article 43021]. 4. Malware was installed on the bank's network to prevent workers from discovering fraudulent transactions quickly, subverting the software used to automatically print SWIFT transactions [Article 43758]. 5. Hackers used malware, including a "Trojan PDF reader," to manipulate PDF reports confirming messages to hide their tracks [Article 43934]. 6. Attackers attempted to replicate the modus operandi of the Bangladesh attackers by using software that allows technicians to access computers to provide technical support [Article 57977]. |
| Non-software Causes | 1. Lack of basic security measures such as firewalls and reliance on used, $10 switches in the local networks of Bangladesh Bank [Article 43021]. 2. Compromise of valid operator credentials by internal or external attackers to create and approve fraudulent SWIFT messages [Article 42744]. 3. Insufficient protection against cyber threats and lack of skilled personnel in some less protected banks [Article 44159]. 4. Compromise of bank systems and obtaining user credentials by attackers to submit fraudulent Swift messages [Article 43934]. 5. Use of malware by hackers to prevent workers from discovering fraudulent transactions quickly [Article 43758]. |
| Impacts | 1. The software failure incident led to fraudulent transfers and theft of funds from the Bangladesh central bank account at the New York Federal Reserve Bank, prompting investigations by law enforcement authorities [Article 43934]. 2. The incident caused disruptions in the banking operations, with reports of critical system files missing or altered, leading to the inability to print reports and suspicious transactions being detected [Article 43758]. 3. The software failure incident exposed vulnerabilities in the SWIFT software program installed on bank servers, potentially compromising the security of the global financial system [Article 43021]. 4. The incident highlighted the need for enhanced security measures and software updates to prevent similar attacks in the future, urging financial institutions to scrutinize their security procedures and install mandatory software updates [Article 43022, Article 42744]. 5. The software failure incident raised concerns about the security of SWIFT's messaging platform and the potential for attackers to manipulate the Alliance Access server software used by banks to interface with SWIFT [Article 43021, Article 43022]. 6. The incident underscored the importance of regulating financial institutions more tightly and beefing up security measures to prevent future attacks [Article 41830]. |
| Preventions | 1. Implementing better regulation and tighter security measures for financial institutions to prevent similar attacks in the future [41830]. 2. Enhancing security procedures to protect against malicious insiders or external attackers submitting fraudulent Swift messages [42744]. 3. Installing security updates and scrutinizing security procedures to thwart malware targeting client software [43021, 43022]. 4. Implementing appropriate security measures in local environments to safeguard systems against attacks [43021]. 5. Creating an ecosystem of providers and partners, introducing certification requirements for third-party providers [44159]. 6. Using antivirus software to identify malware and having features in software to alert of attempted system manipulations [57977]. 7. Ensuring secure systems for critical operations like printing out records of financial transactions to prevent manipulation by hackers [115379]. |
| Fixes | 1. Implementing mandatory security updates for the software used to access the SWIFT network to thwart malware, as recommended by SWIFT [Article 42744, Article 43022]. 2. Enhancing security measures in local environments to safeguard systems against attacks, as advised by SWIFT [Article 43021]. 3. Conducting thorough reviews of networks for vulnerabilities and potential breaches, as suggested by security professionals and bank executives [Article 41830]. 4. Beefing up security and regulating financial institutions more tightly to prevent similar attacks, as recommended by cybersecurity experts [Article 41830]. 5. Creating an ecosystem of providers and partners, introducing certification requirements for third-party providers, and addressing skill shortages in certain countries to improve security, as proposed by SWIFT's CEO [Article 44159]. | References | 1. Security professionals and bank executives (Article 41830) 2. Bangladesh Bank officials briefed on the matter (Article 41830) 3. Swift (Society for Worldwide Interbank Financial Telecommunication) (Article 42744, Article 43021, Article 43022) 4. BAE Systems (British defense contractor) (Article 42744, Article 43021, Article 43022) 5. Natasha Deteran (SWIFT spokeswoman) (Article 43021, Article 43022) 6. Jeff Wichman (consultant with cyber security firm Optiv) (Article 41830) 7. Adrian Nish (BAE’s head of threat intelligence) (Article 43021) 8. Mohammad Shah Alam (head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department) (Article 43021) 9. Rakesh Asthana (World Informatix Cyber Security CEO) (Article 43022) 10. Financial regulator (Article 57977) |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident having happened again at one_organization: - SWIFT, the global financial messaging network, experienced a similar software failure incident related to fraudulent messages being sent over its system in multiple recent cyber incidents [42744, 43022]. - SWIFT confirmed that malware targeted its client software, leading to the need for a software update to prevent such incidents [43021]. (b) The software failure incident having happened again at multiple_organization: - The software failure incident involving fraudulent messages sent over SWIFT's system was not an isolated incident, as there were several recent criminal schemes targeting the global messaging platform used by financial institutions [42744, 43022]. - SWIFT warned of a second malware attack similar to the one at the Bangladesh central bank, indicating a wider and highly adaptive campaign targeting banks [43934]. - The disclosures by SWIFT provided evidence that the network remains at risk of attacks, with hackers refining their methods for compromising local bank systems [57977]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the incident where attackers were able to manipulate SWIFT client software known as Alliance Access. The attackers exploited weaknesses in the SWIFT software program installed on bank servers, enabling them to modify the software to hide evidence of fraudulent transfers [Article 43021]. (b) The software failure incident related to the operation phase is evident in the case where attackers compromised the banks' own environments to obtain valid operator credentials, allowing them to submit fraudulent messages through the SWIFT network. This highlights a failure in the operation and security procedures of the banks, leading to unauthorized access and misuse of the system [Article 43022]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident was within the system due to contributing factors originating from within the system. The incident involved malware being installed on the bank's network to manipulate the software used to automatically print SWIFT transactions, which led to fraudulent transactions being initiated [Article 43758]. Additionally, the attackers compromised the SWIFT software on bank computers to erase records of illicit transfers, indicating an internal system compromise [Article 43021]. (b) outside_system: The software failure incident was also influenced by contributing factors originating from outside the system. Hackers managed to submit SWIFT messages from financial institutions' back offices, PCs, or workstations connected to the local interface to the SWIFT network, indicating an external attack vector [Article 42744]. Additionally, the attackers exhibited a deep and sophisticated knowledge of specific operational controls at targeted banks, suggesting an external influence on the incident [Article 43934]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The incident involved the installation of malicious software code, such as malware, which allowed hackers to learn how to withdraw money [Article 41830]. - Hackers manipulated the Alliance Access server software, used to interface with SWIFT's messaging platform, to cover up fraudulent transfers [Article 43021]. - Attackers installed malware on the bank's network to prevent workers from discovering fraudulent transactions quickly, subverting the software used to automatically print SWIFT transactions [Article 43758]. - Hackers used a kind of malware called a "Trojan PDF reader" to manipulate PDF reports confirming messages to hide their tracks [Article 43934]. - Thieves compromised local bank systems using software that allows technicians to access computers to provide technical support [Article 57977]. (b) The software failure incident occurring due to human actions: - Attackers obtained valid credentials for operators authorized to create and approve SWIFT messages, then submitted fraudulent messages by impersonating those people [Article 42744]. - The software on the terminal connecting to the SWIFT network indicated a critical system file was missing or altered, suggesting human involvement in altering the system [Article 43758]. - SWIFT mentioned that the hacks primarily happened due to failures at users, indicating human errors in protecting the systems [Article 44159]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - The incident involving the Bangladesh Bank cyber heist was suspected to have occurred due to the installation of malware on the bank's network, which prevented workers from discovering the fraudulent transactions quickly [Article 43758]. - Investigators found that the bank's computer security measures were seriously deficient, lacking basic precautions like firewalls and relying on used $10 switches in its local networks [Article 43021]. (b) The software failure incident occurring due to software: - The cyber heist at the Bangladesh central bank was likely facilitated by hackers manipulating SWIFT client software known as Alliance Access, indicating a compromise in the software installed on bank servers [Article 43021]. - SWIFT confirmed that malware was targeting its client software, leading to the release of a software update to thwart the malware and enhance security procedures [Article 43021]. - SWIFT warned customers of recent cyber incidents where attackers compromised banks' environments to obtain valid operator credentials, emphasizing the need for security updates to identify attempts to hide traces, whether executed manually or through malware [Article 42744]. - SWIFT also acknowledged that attackers exhibited a deep and sophisticated knowledge of specific operational controls at targeted banks, indicating potential vulnerabilities in the software systems used by the banks [Article 43934]. - SWIFT mentioned that attackers had refined their methods for compromising local bank systems, including using software that allows technicians to access computers to provide technical support, highlighting ongoing software-related vulnerabilities [Article 57977]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident described in the articles is malicious in nature. Hackers installed malware on the bank's network to carry out fraudulent transactions, manipulate SWIFT software, and cover their tracks [41830, 43021, 43022, 43758, 43934, 57977]. (b) The incident involved attackers with deep knowledge of specific operational controls at targeted banks, indicating a sophisticated and intentional attack rather than a non-malicious software failure [43934]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) The intent of the software failure incident related to poor_decisions: - The incident involving the cyber-heist at Bangladesh Bank was attributed to weaknesses that enabled attackers to modify a SWIFT software program installed on bank servers, suggesting poor decisions in system security and maintenance [Article 43021]. - SWIFT mentioned that the hacks primarily occurred due to failures at users, indicating that some banks, especially those less protected, made poor decisions in implementing security measures [Article 44159]. (b) The intent of the software failure incident related to accidental_decisions: - The incident at Bangladesh Bank involved the installation of malware on the bank's network to prevent workers from discovering fraudulent transactions quickly, indicating an unintended consequence of the malware installation [Article 43758]. - SWIFT noted that attackers may have been aided by malicious insiders or cyber attacks, suggesting unintended consequences of potential insider threats or cyber attacks [Article 43934]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident related to development incompetence is evident in the articles. The incident involved the use of sophisticated malware, such as a Remote Access Trojan (RAT), which allowed attackers to gain remote control of the victim's computer [41830]. Additionally, investigators found that the SWIFT software on the bank computers was compromised to erase records of illicit transfers, indicating a level of expertise and planning by the attackers [43021]. The Bangladesh Bank's computer security measures were deemed seriously deficient, lacking basic precautions like firewalls, which contributed to the vulnerability [43021]. SWIFT also acknowledged that the hacks primarily occurred due to failures at user banks, indicating a lack of proper security measures in place [44159]. (b) The software failure incident related to accidental factors includes the initial discovery of the incident through a malfunctioning printer, which was initially perceived as a minor tech issue [115379]. Additionally, the hackers managed to disable the bank's computers with viruses, leading to a halt in activities, indicating an accidental disruption caused by the malware [115379]. |
| Duration | temporary | (a) The software failure incident in the articles appears to be temporary rather than permanent. The incident involved hackers compromising the SWIFT messaging system and manipulating software to hide evidence of fraudulent transfers. SWIFT released software updates to enhance security and detect inconsistencies in local database records [#43021, #43022]. Additionally, the incident prompted SWIFT to warn customers about refined methods used by hackers to compromise local bank systems, indicating ongoing efforts to address and prevent such attacks [#57977]. These actions suggest that the failure was due to contributing factors introduced by certain circumstances but not all, making it a temporary issue. |
| Behaviour | crash, omission, timing, value, byzantine, other | (a) crash: The software failure incident described in the articles can be attributed to a crash as the system lost its state and failed to perform its intended functions. For example, in Article 43758, it is mentioned that the bank workers found the printer tray empty, and when they tried to print reports manually, they couldn't due to a critical system file missing or altered, indicating a system crash [43758]. (b) omission: The software failure incident can also be categorized as an omission, where the system omitted to perform its intended functions at an instance(s). This is evident from the fact that the software used to automatically print SWIFT transactions was subverted by malware, leading to the omission of printing out the transactions as expected [43758]. (c) timing: The timing of the software failure incident is crucial as it relates to the system performing its intended functions but either too late or too early. In this case, the incident involved fraudulent transactions being initiated on specific dates to delay discovery. For instance, as mentioned in Article 115379, the attack was strategically timed to delay discovery by almost three days by exploiting the working hours of different banks [115379]. (d) value: The software failure incident can also be linked to a failure in terms of value, where the system performed its intended functions incorrectly. This is evident from the fact that the hackers manipulated the SWIFT software to cover up fraudulent transfers, indicating a failure in the correct execution of the system's functions [43021]. (e) byzantine: The software failure incident exhibits characteristics of a byzantine failure, where the system behaved erroneously with inconsistent responses and interactions. For example, the attackers exhibited deep and sophisticated knowledge of specific operational controls at targeted banks, indicating a complex and deceptive behavior [43934]. (f) other: The software failure incident can be described as a sophisticated cyber attack involving a combination of malware, manipulation of software, and strategic timing to cover up fraudulent activities. This behavior goes beyond a simple crash, omission, timing issue, value failure, or byzantine behavior, showcasing a highly orchestrated and elaborate scheme by the attackers [41830, 42744, 43022]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, delay, non-human, theoretical_consequence, other | (a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident in the provided articles. (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm to individuals resulting from the software failure incident in the provided articles. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted due to the software failure incident in the provided articles. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in a cyber-heist where hackers managed to steal $81 million from accounts at Bangladesh Bank [43758]. (e) delay: People had to postpone an activity due to the software failure - The software failure incident caused delays in the printing of reports and transactions at the bank [43758]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted the SWIFT software program installed on bank servers [43021]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had significant consequences, including financial losses and security concerns. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed included the need for central banks to beef up security and regulate financial institutions more tightly to prevent similar attacks in the future [41830]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident led to a cyber-heist involving the manipulation of SWIFT client software and fraudulent transfers of funds [43021, 43934]. |
| Domain | finance | (a) The failed system was related to the finance industry, specifically the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system used by banks for international money transfers [Article 43021, Article 43022, Article 43758, Article 44033, Article 44159, Article 57977, Article 115379]. |
Article ID: 57977
Article ID: 43758
Article ID: 44159
Article ID: 42744
Article ID: 43934
Article ID: 44033
Article ID: 41542
Article ID: 41830
Article ID: 43021
Article ID: 43022
Article ID: 115379