Officials of Bangladesh Bank may have been involved in the calculated theft of $81 million from its account with the New York Federal Reserve Bank, the head of a government-appointed panel investigating the cyber heist has told reporters.
After learning how the organisation worked, the group of cyber attackers broke into the computer systems of the Bangladesh central bank in February and issued instructions through the SWIFT network to transfer $951 million of its deposits held at the New York Federal Reserve Bank to accounts in the Philippines and Sri Lanka.
The group had installed malware in systems at the bank's Dhaka headquarters, which allowed them to spend several weeks spying upon the bank's systems and processes.
Most of the transactions were blocked but four went through, amounting to $81 million, sparking allegations by Bangladeshi officials that both the Fed and SWIFT had failed to detect the fraud.
The breach was uncovered by accident, with an alert only raised as a result of a small spelling error on one of the transactions that blocked other queries that had not yet been processed.
It emerged last week that those behind the heist actually targeted the computer of a Bangladeshi official to conduct the theft, however the official was not flagged as a suspect.
"Earlier we thought no one from Bangladesh Bank was involved, but now there is a small change," Mohammed Farashuddin, a former governor of the Bangladesh central bank, said on Monday after handing his final report to the finance minister.
He declined to say what the change was, however Finance Minister Abul Maal Abdul Muhith said the report would be made public in 15 to 20 days.
Farashuddin declined to provide details of the report, but said its findings were different from a previous one that mainly held SWIFT, the international banking payments network, responsible for the cyber heist.
He reiterated SWIFT could not avoid responsibility, however.
Farashuddin said previously that SWIFT made a number of mistakes in connecting up a local network in Dhaka, the Bangladeshi capital.
SWIFT has denied the accusations.
Bangladesh Bank spokesman Subhankar Saha said its officials had yet to read the report or receive government instructions.
"The Bangladesh Bank management will follow all instructions given by the government," Saha told Reuters. "Actions will be taken as per instruction by the government if any central bank officials were found guilty."
Last week, SWIFT said it planned to launch a new security program as it fights to rebuild its reputation in the wake of the heist, with chief executive Gottfried Leibbrandt laying out a five-point plan at a financial services conference in Brussels.
SWIFT is a Belgium-based cooperative that is owned by its users, with banks around the world sending payment instructions to one another via SWIFT messages.
Previously, SWIFT said it wants banks to "drastically" improve information sharing, to toughen up security procedures around SWIFT, and to increase their use of software that could spot fraudulent payments.
"SWIFT will continue to notify you as soon as possible of any cases of malware known to us so that you can better target your preventative and detective efforts in your local environment," the society said in a statement Friday.
"We will also continue to share best practices to help all our users improve their security as we have been doing very proactively over recent months. We are currently working to further reinforce our support to customers in securing their access to the SWIFT network; we are receiving feedback from the relevant board committee and overseers in the coming days and will be sharing plans with the wider community."
The messaging service said other authorities also have a role, with Leibbrandt saying SWIFT is not all-powerful, that it is not a regulator, and that it is also not a policeman.
To improve information sharing, as a first step, SWIFT said it will be centralising all new and existing security information through KB tip 5020928 in the restricted customer section on its SWIFT.com site.
A small portion of the stolen funds have been recovered, but Bangladesh officials are still considering the prospect of taking the US financial system to court to recover the remainder.
According to Symantec, before hitting the Bangladesh Bank, the group responsible for the attack tried their luck on a Philippine institution. The security vendor said last week that similarities in the code used in the malware in both attacks led it to conclude the attacks were from the one source.
The company said the attacks on the Philippine bank occurred from October last year, and represent the earlier known attacks from the group.
"The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region," Symantec said in a blog post.
The Bangladesh Bank attack follows a similar but little noticed theft from Banco del Austro in Ecuador last year that netted thieves more than $12 million, as well as a previously undisclosed attack on Vietnam's Tien Phong Bank that was not successful.
The Wall Street Journal reported earlier this month that SWIFT was never told of the Ecuador attack.