US regulators, FBI warn banks on cyber threat after Bangladesh heist

Commuters pass by the front of the Bangladesh central bank building in Dhaka, March 8, 2016.
Commuters pass by the front of the Bangladesh central bank building in Dhaka, March 8, 2016.PHOTO: REUTERS

BOSTON/NEW YORK (REUTERS) - US regulators on Tuesday told banks to review the cyber security they have in place to protect against fraudulent money transfers and other threats to a global payments network, months after hackers stole US$81 million (S$109 million) from the Bangladesh central bank's account at the Federal Reserve Bank of New York.

The notice from the Fed and other financial regulators comes two weeks after the US Federal Bureau of Investigation urged banks to look for signs of possible cyber attacks and asked them to hunt for technical clues that they have been targeted by the same group, according to a notification seen by Reuters.

The warnings suggest that US government and law enforcement agencies are concerned that recent attacks on banks in emerging-market economies could lead to losses for big US firms that rely on the so-called Swift fund-transfer network, which serves as the backbone of international finance.

In early February, thieves hacked into Bangladesh Bank's interface with Swift's network and peppered the New York Fed with payment instructions.

Most of the requests were blocked, but four were filled, amounting to US$81 million that went to accounts in the Philippines and remains missing.

"Financial institutions should review their risk management practices and controls over information technology and wholesale payment systems networks, including authentication, authorisation, fraud detection, and response management systems and processes," the Federal Financial Institutions Examination Council said in a statement on Tuesday.

Banks using such inter-bank messaging networks and that originate "unauthorised transactions" may be subject to "losses and compliance risk," the council said.

The council - which besides the US central bank includes the Federal Deposit Insurance Corporation and the Comptroller of the Currency, among other agencies - did not issue new cyber security rules, but rather highlighted existing guidelines.

The FBI's notification, which provided technical information about the recent attacks, said a "malicious cyber group" had compromised the networks of multiple foreign banks.

"The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorised monetary transfers over an international payment messaging system," the May 23 alert said.

The so-called "Flash" notification, which did not identify specific victims, asks recipients to call the FBI if they find any of the technical indicators mentioned in the bulletin or have other "related information."

FBI spokeswoman Nora Scheland declined to comment on the notification, citing a bureau policy on such communications.

"The FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations," she said.

"This data is provided in order to help systems administrators guard against the actions of persistent cyber criminals."