A U.S. congressional committee is investigating how hackers managed to divert $101 million from Bank of Bangladesh accounts held at the Federal Reserve in New York.
The February theft led the Bangladesh central bank’s chairman to resign, and added to worries about the security of online bank data.
In a letter to the Fed’s president dated Tuesday, the Science Committee in the U.S. House of Representatives asked for “all documents and communications” about the cyberattack and the security of the Fed’s SWIFT Alliance Access money transfer system.
In the attack, the hackers tried to steal a total of $1 billion through 35 international money transfer orders, 30 of which were stopped. The Bangladesh Bank later recovered some money from a Sri Lankan bank and from a Chinese casino junket operator based in the Philippines.
“Weaknesses existed within the computer network of the Bangladesh Bank and based on research done by a third party, cybercriminals were able to exploit these vulnerabilities,” says the letter, posted on the committee’s website. “Then, the cybercriminals covered their tracks using malware” that was able to manipulate money transfer request records as well as account balances as shown in logs, as well as to intercept messages verifying transfer orders.
Bangladesh authorities had said earlier they were considering suing the Reserve Bank over the loss of the funds.
The Fed has said it found no evidence its own systems were compromised in the attack, and attention increasingly has focused on suspected vulnerabilities in Bangladesh Bank’s cybersecurity.
But any international cybersystem is only as strong as its weakest link, said the letter signed by the committee’s cochairmen, Lamar Smith of Texas and Barry Loudermilk of Georgia.
“This is deeply troubling, and it is Congress’ responsibility to ensure, through its oversight, that the NY Fed is taking all precautions to protect American finances and aggressively execute its own role as overseer of SWIFT,” the letter says.
Amid the fallout, the Bangladesh Bank Governor Atiur Rahman resigned in March, saying he had tried after the theft to close loopholes and boost the bank’s online security, but that the bank’s team lacked experience.
Authorities in the Philippines, meanwhile, are also investigating how some $81 million of the stolen funds were transferred online to four private accounts at a branch of the Rizal Commercial Banking Corp., or RCBC, and who could be criminally liable.
And in Sri Lanka, a court banned six people from traveling abroad after their foundation allegedly received some of the stolen money. The private bank where the foundation had an account alerted the Bangladesh central bank about the transfer and returned the funds.