10 years later, Bangladesh Bank cyberheist still offers cyber-resiliency lessons

Security shortcomings: Adrian Cheek, senior cybercrime researcher at threat exposure management firm Flare, said the Bangladesh Bank heist was possible because of a number of security shortcomings, including a failure to air gap critical infrastructure.”The Bank of Bangladesh had four servers and the same number of desktops connected to SWIFT,” Cheek says. “This infrastructure, however, was also connected to the wider banking network and thus exposed to the internet.””Critical infrastructure should be air gapped or, at the very least, segregated from any central network by multiple firewalls and a robust SWIFT [identity and access management] policy, including SWIFT [multi-factor authentication],” Cheek adds. “The bank had none of this.”Other elements of basic cybersecurity at the central bank were also lax.”The attackers were able to install a keylogger [a form of malware that records users’ credentials and activity] on the bank network and disable a printer that recorded activity connected to the bank network,” according to Cheek. “The bank had no capability to identify or detect this malware.”Cheek adds: “The logger was able to collect credentials, including passwords to the bank’s international money transfer system.”Strains of malware linked to the attack include the Lazarus/BeagleBoyz toolset (a mix of custom loaders, backdoors, and wipers) and the Dridex banking trojan.Security information and event management (SIEM) platforms appeared on the scene in the late 2000s, and the first versions of endpoint detection and response (EDR) tools were available in the early 2010s.”Both of these solutions may have detected the initial intrusion, the printer error, or access to restricted areas,” Cheek says. “The bank relied on a physical printer that printed access activity for the money transfer system. With the printer offline, the bank was blind.”Collin Spears, senior director of product management at application security firm Black Duck Software, says that the Bangladesh Bank attackers demonstrated a level of nation-state operational discipline that exceeded that of most legitimate software teams.”They tested their malware against Oracle database libraries, built custom implants to maintain persistence, and timed execution to exploit a 72-hour window across the banking holidays of three countries,” says Spears. “That’s not opportunistic crime. That’s a funded engineering organization with better release management than half the fintechs I’ve assessed.”Prior to 2016, the SWIFT network was thought or considered to be impenetrable, to the point that anything arriving via the SWIFT system was taken at face value and often left to operate unmonitored.In the wake of the Bangladesh Bank heist, SWIFT warned customers that the hack was part of a broader series of attacks on customer environments rather than an attack on its messaging network. Banco del Austro in Ecuador and TPBank in Vietnam fell victim to similar but smaller assaults in 2015.

Tightened security controls fail to eliminate evolving threat: SWIFT introduced its Customer Security Program (CSP) as a mandatory framework in May 2016. The program requires member banks to implement a set of mandatory security controls, known as the Customer Security Controls Framework (SWIFT), and attest to compliance annually.Nik Kale, principal engineer Cisco Systems, told CSO although security controls have been tightened up since the Bangladesh Bank cyberheist wider problems remain unaddressed.”Many institutions have improved controls around SWIFT and similar rails, better monitoring, tighter audits, more realistic assumptions about endpoint compromise risk,” according to Kale.However, on the debit side, the workflow trust issue exploited during the Bangladesh Bank cyberheist continues to cause problems.”The techniques evolve, but the underlying vulnerability is stable,” says Kale. “And notably, the same pattern, trusting workflow rails while endpoints are compromised, is now re-emerging in AI and automation contexts, where autonomous agents inherit credentials and act on trusted channels without adequate verification boundaries.”

Attackers pivoting to target crypto assets: Jason Baker, senior threat intelligence consultant at GuidePoint Security, tells CSO that North Korean state-backed attackers have continued to financial and cryptocurrency organizations in the years since the Bangladesh Bank cyberheist.”DPRK [Democratic People’s Republic of Korea] actors have pivoted heavily to cryptocurrency versus ‘traditional’ banking assets, with Chainalysis reporting $2 billion in cryptocurrency theft by DPRK actors in 2025 and an all-time total to $6.75 billion despite fewer attacks,” according to Baker.Michael Bell, founder and CEO at offensive security services firm suzu labs, says that attackers learned was that cryptocurrency exchanges have weaker security, faster liquidity, and less regulatory oversight than traditional banks.”The industry patched the vulnerability that was exploited in 2016 and the adversary moved to where the defenses were weaker,” Bell says.

CISOs need better threat intel programs: Ensar Seker, CISO at extended threat intelligence platform provider SOCRadar, argues that the Bangladesh Bank heist shows that financially motivated attacks can be patient, stealthy, and well-resourced. Defenders need to up their game to meet the challenge of such stealthy attacks because they present an ongoing threat.”The attackers anticipated manual checks, fallback procedures, and human delays,” Seker says. “Modern threat intel programs must model attacker understanding of defender workflows, not just attacker tools.”

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4131864/10-years-later-bangladesh-bank-cyberheist-still-offers-cyber-resiliency-lessons.html