Thursday, 28 April 2016

The Big SWIFT Hack

I am old, as you can see, which means I am slow to adopt. When Windows 10 came into my life, because I hit the wrong button, I did not know what to make of the rearrangement of  my screen. Imagine my surprise at the appearance of a new icon calling herself/himself/itself Cortana. Ask me anything, it said in type on the bottom line where other useful icons dwell.

This is when paranoia reared its head. Who exactly is Cortana and what will she/he/it do with my questions? I asked myself. Am I supposed to fall in love with him/her/it and bare my soul?  What will some server deep in the wilds of the Neighbor to the South do with my queries, who will they be shared with? If I ask Cortana a question about Anonymous, which I just asked Google for example, will Cortana snitch me out to the NSA as a person interested in persons of interest? Images of two megacorps worth billions battling it out to see which gets to blow the whistle on me whirled through my head.

Okay, so that's a little over the top, but come on now, anything is a big ask.

On the other hand, isn't it far too late to worry? Everything I've asked already is recorded and known by someone, somewhere. As Edward Snowden has demonstrated, anyone with the right system administrator designation working for the right spook institution, or for any one of hundreds of spook civilian contractors, can find out what I've been investigating long before I get around to posting it. And yet something makes me draw the line at asking Cortana anything. It's the charade that gets to me: I refuse to pretend that a packet of software is my very own human slave when in fact it's the other way around. Microsoft does not need my cooperation to find out what I am up to. Without asking my permission it regularly enters my computer and has its way with it. It just dives right in. This is why every time I pay someone online I wonder where the transaction is being recorded and by whom and if one day someone out there will pretend to be me so as to explode their way through my shrinking line of credit. My bank says no worries, all the money they've lent to me is perfectly protected, no one can mess with their wonderful software. There's a lock icon on my banking screen to prove it.

Until this week, I was fool enough to believe it, likely because I'm a Canadian and our big banks are institutions of wondrous probity and care. But the fact is that financial institutions, like all the rest of us hooked to the Internet, are sitting ducks for those who practice the art of the hack. Until now, the frailty of the international banking communication system has been a pretty well kept secret, but in February, some clever folk tried to steal almost a billion dollars from the central bank of Bangladesh via the Federal Reserve Bank of New York.  (Who knew Bangladesh had a billion dollars just lolling about in its account in the Federal Reserve Bank of New York? Who knew you could fool the Federal Reserve of New York into sending millions of dollars to the wrong account? The hackers!!!)

Those of you who still read physical newspapers may have noticed the third Reuters story about this theft. The first, filed from Dakkah, I'm sure you missed. The third appeared in my morning rag, the Globe and Mail, this week. Don't bother searching it on the Globe site: read the original Reuters story by Jim Finkle (and a nice job of journalism it is too). The Globe reduced it to two short paragraphs and ran it deep in the bowels of the business section underneath a longer story from Reuters about US new house sales falling in March. In other words, you needed a magnifying glass or a newspaper obsession to find it though it was probably the most important story in the paper.

Reuters ran their third and fourth stories, scoops, right after another interesting story by David E. Sanger appeared in the New York Times the day before, on Sunday, April 24. Sanger wrote on how the US government is messing with the international banking system to attack the Islamic State. According to the Times, this story marked the first public admission by the US Cyber Command of its offensive use of what one US official called cyber bombs. All very interesting, yet after I read the Reuters stories, I couldn't shake the notion that New York Times had only got its story because American officials wanted to distract attention from the Bangladesh caper. That heist, which netted the hackers $81 million instead of the $951 million they'd tried for, took place on February 4 and 5. Apparently, Sanger of the Times had been speaking to US officials since February about the US government's use of cyber tools to disrupt the Islamic State's operations, especially its ability to pay people electronically. Sanger's story referred to "implants"--likely malware-- placed within the Islamic State's computer networks, malware used by the NSA and friends to listen and watch but now used by the Cyber Command to rewrite cyber banking reality and discombobulate the enemy.

"In other cases, officials said, the United States may complement operations to bomb warehouses full of cash by using cyber attacks to interrupt electronic transfers and misdirect payments.The fact that the administration is beginning to talk of its use of the new weapons is a dramatic change. As recently as four years ago, it would not publicly admit to developing offensive cyber weapons or confirm its role in any attacks on computer networks," wrote Sanger.

These tactics, described in the Times, turned out to be just what the hackers did in the Bangladesh caper as the Reuters story of the next day revealed. The hackers fooled the SWIFT banking system by rewriting client connection software to make the records of their theft disappear. Reuters reported on the findings of British civilian contractor, BAE, which filed a report on its blog about how the heist had been done. BAE described the malware used: it had been designed specifically to mess with the SWIFT international banking communication network via the Bangladesh bank. The second Reuters story was the first time the SWIFT network had been implicated in the theft. The SWIFT network is used every time I instruct my bank to pay someone who banks elsewhere.The SWIFT network is absolutely vital to financial transactions worldwide.

SWIFT stands for The Society for Worldwide Interbank Financial Telecommunications. It is a cooperative owned by 3000 institutions, used by about 11,000 banks to move money here there and everywhere. Like any network, it appears that the SWIFT system is only as good as its weakest link, and the Bangladesh Bank, according to the Bangladesh police is a very, very weak link, failing to erect firewalls and "relying on used $10 switches in its local networks" according to Reuters.  According to the BAE blog post, its people found the malware used because it had been uploaded to a repository used to exchange information on malicious software. The upload had originated in Bangladesh. The malware, very sophisticated, according to BAE, appeared to have been designed specifically for the Bangladesh Bank heist but BAE noted that its characteristics were generally applicable, which likely made the SWIFT people quake. While BAE could not explain exactly how the money was transferred, or by whom, it could see that this malware had been designed to rewrite transactions both in electronic and paper form so as to make them disappear from the Bangladesh Bank system just  long enough to move the money without setting off alarms. The Reuters story claimed that while several fail safe systems had worked anyway, $81 million was still missing. At first, the Bangladesh police thought they had traced the money to perpetrators in the Philippines and Sri Lanka. Turned out that several of these names had been lifted from the Philippines' voters list. In other words, the money had been routed through accounts via identity theft.

BAE suggested that the Alliance Access server software which many banks use to interface with the SWIFT system had been manipulated through a server somewhere in Egypt.  This sort of thing, of course, was exactly what the US had just advertised that it was going to do to IS. Or had already done?

The next day the fourth Reuters story appeared that was not carried in my papers, again by Jim Finkle. In it, the SWIFT people admitted that other suspicious transactions, okay thefts, had occurred via their network. They did not say how many or for how much, or where, just advised their bank clients to go over their security systems very, very carefully.

This story also mentioned that the Bank of Bangladesh investigation involved a very interesting US based company called FireEye. I have written about FireEye before. It has a relationship with the CIA though Finkle did not mention that. FireEye got its initial investment in 2006 from Sequoia, a Silicon Valley venture capitalist and also from a non for profit company called In-Q-Tel. In-Q-Tel was created by the CIA so it could keep abreast of the rapidly expanding cyber technologies. The Principal Threat Intelligence Analyst at FireEye is a fellow named Nart Villeneuve who worked for years with the Citizen Lab, an organization set up with a Ford Foundation grant at the University of Toronto to investigate the dark world of cyber spooking and cyber crime back in 2001. Citizen Lab had help later from a company called Palantir, which In-Q-Tel also invested in, back when the Citizen Lab was working on its Ghost Net investigation. Citizen Lab watched and tracked hackers as they wormed their way into the Dalai Lama's computer systems, reading this, copying that, tracing the hackers back to a Chinese military intelligence complex. So it is interesting that FireEye is now tracking down who did this to the banks and exactly how. Villeneuve has written several papers explaining how it is possible to follow the "breadcrumbs"  left by hackers back to their point of origin.

To me, it is shocking that none of the heist stories were carried on the front pages of everybody's newspapers, that SWIFT said nothing about the other thefts that had occurred through its system until after BAE's blog post appeared on the 25th and was reported on by Reuters.The thing to remember is that this wasn't just a hack on the Bank of Bangladesh, a third world financial entity. It was at root a successful hack of  the Federal Reserve Bank in New York. I'm pretty sure this heist is what goosed the US Cyber Command to say we're coming for you, IS, via the pages of the New York Times. If there is one thing the US government can not tolerate it is someone messing with its banking system. 

If there is one thing that should strike terror into all our hearts it is that someone found a way to do it.

I wonder who.

No comments:

Post a Comment