The central bank of Bangladesh lost $81M in a digital heist whose perpetrators have not been caught, thanks in large part to the bank’s decision to run its computers without a firewall, and to run networking with second-hand cheapie routers it sourced for $10 each.
The hackers almost got $1B, but made a spelling mistake on a transfer order tipped off bank personnel, interrupting the hack.
The cheap routers were unable to segment the private and public-facing functions of the bank’s IT, and kept minimal logs, which hampered forensic investigations.
The money was transferred to private accounts and casino accounts in the Philippines, from which much of it has yet to be recovered.
The hack took place in early February and involved hackers getting access to the core network of Bangladesh’s central bank. They used this privileged access to transfer cash from Bangladesh’s account at the Federal Reserve Bank of New York to other banks.
A spelling mistake in one of the transfer orders alerted bank staff and meant the hackers only managed to steal $81m. This has been traced to accounts in the Philippines and to casinos in the same country. Most of the cash has yet to be recovered.Bank security experts said the bank should have spent more time and money protecting the network for its central bank.
“You are talking about an organisation that has access to billions of dollars and they are not taking even the most basic security precautions,” Jeff Wichman, a consultant with cyber firm Optiv, told Reuters.