×

At time of Fed hack, Bank of Bangladesh targeted by others: Source

The central bank of Bangladesh was under attack by more than one group at the time thieves stole $81 million from its account at the Federal Reserve Bank of New York, a source familiar with the investigation told CNBC.

Investigators have found that as many as three separate hacking groups had access to Bank of Bangladesh computers, the source said. Of those, one was there for the express purpose of stealing money, and the other two were apparently simply gathering information, possibly as part of broader information-gathering operations.

The presence of so many hacking groups inside a central bank's servers highlights the risks facing global banks at a time when the U.S. Securities and Exchange Commission is warning that cybersecurity is the biggest risk facing the world's financial system. SEC Chair Mary Jo White told the Reuters Financial Regulation Summit on Tuesday that some major exchanges, dark pools and clearing houses do not have cybersecurity policies in place that match the risks they face, Reuters reported.

At the same time, the Bangladesh heist is causing some banks to tighten up security procedures. For example, officials at JPMorgan reviewed levels of access to the Swift international financial electronic messaging system and adjusted permission levels for various employees, according to a person familiar with the bank.

Investigators looking into the Bangladesh heist have not concluded who conducted the theft, but do believe the group was "highly sophisticated and well-funded," according to the source familiar with the investigation. They have also concluded that one of the groups that penetrated the bank's system — but not the one that conducted the theft — used techniques similar to the devastating 2014 cyberattack on Sony.

U.S. officials concluded at the time that the Sony attack was sponsored by North Korea. But investigators have not concluded that the North Koreans were necessarily inside the Bangladesh computers. It is at least possible, they believe, that the group they have identified is a freelance hacking entity that worked for North Korea in the past and is working for entities unknown — or simply for itself — now.

Investigators say they do not have any information on the third entity found inside the Bangladesh computers, except to conclude that the penetration did not appear to be an effort to steal money, perhaps only to gather information.

The New York Fed has said it has found no evidence that its own systems were compromised by the hackers.

Investigators currently hypothesize that the Bangladesh heist was conducted by a criminal gang, not a nation state.