A Turkish hacking group has stolen data of five South Asian banks, including three in Bangladesh. The other two banks are located in Nepal.
US-based cyber security website databreachtoday.com, in a report yesterday, said the stolen data was ‘apparently posted online’ on May 10 by Turkish group Bozkurtlar.
Meanwhile, saying that the theft of $81 million from Bangladesh Bank was “part of a wider and highly adaptive campaign targeting banks,” SWIFT, which oversees the financial messaging network that underpins global money transfers, yesterday warned its customers that “at least one Vietnamese bank was also breached by the same attackers”.
The Bangladeshi banks whose data have been posted online are Dutch-Bangla Bank, The City Bank, and Trust Bank run by Army Welfare Trust.
Sanima Bank and Business Universal Development (BUD) Bank are the two Nepalese banks that came under cyber attacks.
Links to the file archives containing data from all the banks have been posted from a Twitter account supposedly operated by Bozkurtlar – or “Grey Wolves.” The group appears to be making good on their threat to release data of more Asian banks – an indication that more such disclosures may be expected in the region, in the near future.
Several security experts who have been following Bozkurtlar say that while the data in the newest leak appears genuine, the volume of data from these five banks is relatively small compared to the massive QNB and InvestBank dumps.
The file archives posted were 251 MB for Business Universal Development Bank, 47 MB for Sanima Bank, 11.2 MB for The City Bank, and 312 and 95 Kilobytes for Dutch Bangla Bank and Trust Bank, respectively.
The scope of the data varies widely. But preliminary analysis, researchers say, shows that each of the zip files contains at least some customer information or account credentials. According to the report, the same hacking group recently leaked data tied to Qatar National Bank and UAE’s InvestBank.
Contacted, Abul Kashem Md Shirin , Deputy Managing Director of Dutch Bangla Bank, said the leaked data is publicly available as those are there in their bank website.
“The data included locations of our ATM booths. Much of the information is related to our vendors. These are old data and are not related to our clients’ accounts or their credit cards. They don’t carry any client-sensitive information,” he said.
The data leak will not harm our clients whatsoever, he asserted.
Meanwhile, the City Bank’s Chief Communications Officer Mashrur Arefin said they don’t see anything harmful in the data leaked.
“The leaks are not banking-related data, rather these are marketing data which are publicly available. The leaked information includes names and addresses of some clients. We have checked those but found that only two to three names match with those came up in the data,” he added.
No official from Trust Bank was available for comments while preparing the report yesterday.
A primary researcher in this case, who requested anonymity, says that the data posted for each of the banks appears to be old – the latest being from The City Bank dates to August 2015. This, he says, raises a question about whether the leaks are the result of recent breaches, as claimed by Bozkurtlar, or if the group has simple aggregated data from older incidents and posted it.
Analysis of the Bangladeshi bank data included in the latest leak:
Dutch Bangla Bank: This 312 KB archive appears to contain records of customer banking transactions – either physical or internet banking. The researcher says that using admin credentials found in clear text in the dump, he was able to gain access from the public internet to the bank’s ATM transaction analyzer for research purposes. The username/password appear to be very simple or default, he explains. “The website of Dutch Bangla bank appears to contain vulnerabilities and could have been the point of penetration to the internal servers or files.”
Trust Bank: The smallest archive at 96 KBs, the file contains two spreadsheets that, among other things, contain user ID, email, username and encrypted passwords. The latest file is from June 2015.
The City Bank: This 11.2 MB dump has a single spreadsheet, which appears to contain the personal information of at least 1 million bank customers. Details include: full name, father’s name, mother name, date of birth, age, mailing address, contact number, permanent address and email. The most recent data is from August 2015.
SWIFT, meanwhile, in its May 13 customer alert, said an ongoing teardown of the malware that infected Bangladesh Bank, which is being conducted by British defense and security firm BAE Systems.
Analysing the attack on the Bangladesh central bank, the BAE forensic investigators in a report have said, “What initially looked to be an isolated incident at one Asian bank turned out to be part of a wider campaign”.
The report was made public yesterday. Based on the malware used in the bank attacks, the researchers also believe that the hacking group is the same one that targeted Sony Pictures Entertainment in 2014.
In its statement, SWIFT said the attackers had a “deep and sophisticated knowledge of specific operational controls” at the banks and touted the idea that the heist was aided by “malicious insiders or cyberattacks, or a combination of both.”
SWIFT says that hackers also targeted a second, unnamed Vietnamese bank using “a PDF reader used by the customer to check its statement messages.” SWIFT did not name the bank or the PDF reader software in question, or detail whether attackers successfully stole any money.
In both bank attacks, “the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT,” the cooperative’s customer alert says.
“The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognize the fraud.”
In one of the largest cyber heists in the world, hackers transferred $81 million from Bangladesh Bank’s forex reserve account in the US in February to several accounts in the Philippines.