Investigators examining the theft of $81 million fromBangladesh's central bank have uncovered evidence of three hackinggroups — including two nation states — inside the bank's networkbut say it was the third, unidentified group that pulled off theheist, according to two people briefed on the progress of thebank's internal investigation.

FireEye Inc., the company hired by the bank to conduct theforensics investigation, identified digital fingerprints of hackinggroups from Pakistan and North Korea, the two people said. Ithasn't found enough data to determine whether the third group, theactual culprit, was a criminal network or the agent of anothernation.

The twists and turns add to the mystery of who pulled off one ofthe largest cyberheists in history. The hackers, pairing theft withhavoc within the global financial system, used the Swift interbankmessaging system to move cash into fake accounts in the Philippinesbut were discovered before they could complete an attemptedtransfer totaling $951 million.

The U.S. Federal Bureau of Investigation suspects an insiderwith access to the computers at the Bangladesh central bank playeda role in the caper, according to the people briefed on theinvestigation. Police in Bangladesh said they have found negligencewithin the bank but haven't determined whether there was anycriminal intent.

Spokesmen for Pakistan's interior and information technologyministries didn't respond to requests for comments. Telephone andemailed requests for comment to North Korea's delegation to theUnited Nations went unanswered.

A year in the making, the hacking scheme ran through the Swiftmessaging system and the central bank's accounts at the FederalReserve Bank of New York, exposing crucial weaknesses in the globalfinancial system. Government officials in the Philippines and SriLanka are investigating where the purloined money may have gone.Members of the U.S. Congress have asked for additional informationabout whether there were lapses in security by institutions dupedin the scam.

“These guys started to lay the groundwork for their hack ortheir robbery a year ago. They set up their false accounts, withfalse IDs,” said Leonard Schrank, who was Swift's chiefexecutive officer for 15 years through 2007. “It was really wellthought through, and they found a very weak link, which theyexploited.”

Hundreds of billions of dollars are moved internationallythrough the Swift system daily. The group warned users last monththat it was aware of several similar attacks. It didn't indicatewhether it suspected the same hackers or whether more money wastaken.

Skilled Perpetrators

The Bangladesh forensic results, provided to the bank in thelast few days, highlight the challenges of identifying skilledperpetrators in cyberspace, where hackers can mimic others androute their actions around the world to confuse trackers.

The people briefed on the investigation agreed to providedetails for this article only if not identified, citing the smallcircle of people who have been briefed so far.

On Tuesday, the new head of Bangladesh's central bank met inBasel, Switzerland, to discuss the investigation with officialsfrom the New York Fed and Swift. In a brief joint statement, theparties said they were committed to recovering the proceeds of thefraud, bringing the perpetrators to justice and working together“to normalize operations.”

Representatives for the New York Fed, Swift and Bangladeshcentral bank declined to provide additional details about theprogress of the investigation. Vitor De Souza, a spokesman forFireEye, declined to comment on the report.

FireEye was unable to determine how the thieves first enteredthe Bangladesh bank's network, according to one of the people. Onepossibility is that malware was introduced into the network bysomeone inside the bank or a technician working with the bank.Malware can be introduced quickly onto a network by someone insidewith something as simple as a thumb drive in an open USB port. Theforensics investigation hasn't found any evidence of this, theperson said.

The potential role of any insider is still being investigated.The FBI has been assisting the inquiry at the request of theBangladesh central bank. Jillian Stickels, a spokeswoman for theFBI in Washington, declined to comment on the investigation. TheWall Street Journal reported earlier Tuesday that the FBI suspectedthe involvement of an insider.

The Bangladesh Bank hasn't yet been able to determine whether anemployee was involved, according to a panel it appointed to reviewthe incident. An official from Bangladesh's police said it hasn'treceived information from the FBI about a possible insider and thatno arrests had been made.

Bangladesh officials have sought to cast Swift as bearing someresponsibility, this week releasing details about Swift technicianswho made upgrades to the bank's system late last year. Reuterspreviously reported on the officials' findings.

The way that technicians from Swift set up the network atBangladesh Bank “was not according to the agreed plan,” Shah Alam,a senior official in Bangladesh's Criminal InvestigationDepartment, told Bloomberg on Tuesday.

“We have also found that some officials at Bangladesh Bank whowere in charge of maintaining the network fell short of theirresponsibilities,” he said, adding that police were still trying todetermine if the officials' actions went beyond purenegligence.

Such allegations are false, inaccurate and misleading, Swiftsaid in a statement on its website.

Moral Responsibility

The Bangladesh central bank has been roiled since the hack wasdisclosed in March, and several officials have stepped down. AtiurRahman resigned as Bangladesh's central bank governor, saying hetook moral responsibility after failing to immediately inform theFinance Ministry of the theft. Two of his deputies were alsoremoved.

Attribution of a breach is notoriously difficult, even for theU.S. government. In this case, the task was hampered asinvestigators sifted through the handiwork of multiple hackinggroups, attributing the heist at various stages of theinvestigation first to one group and then the next, according toone of the people briefed.

Hackers used the Swift system to make illicit payments toaccounts in several countries, creating sophisticated malwaredesigned to operate on the bank's Swift messaging system. As thehackers navigated through the bank's network unseen for weeks, theydeployed a smorgasbord of tools that included two pieces of malwaredubbed Nestegg and Dyepack, according to one of the people briefedon the report.

The ease with which the hackers manipulated the interbank systemand the significant resources used to create and customize themalware raise the possibility of more attacks against internationalinstitutions, people involved in the bank probe said.

North Korea's hacking prowess has been cited by governmentofficials repeatedly in recent years. President Obama accused NorthKorea of pilfering and publishing a trove of corporate informationfrom Sony more than a year ago — after the production of “TheInterview,” a movie that parodies North Korea — and vowed to takeunspecified action against the country. North Korea has also beenblamed for a series of financial hacks in South Korea by officialsthere.

After the White House publicly attributed the Sony breach toNorth Korea, some security firms publicly cast doubt on the claim.North Korea has denied any involvement. Investigators have spentweeks following the money trail from the Bangladesh central bank'saccount, but the ultimate destination of tens of millions ofdollars remains unknown.

Simple Errors

After scouting the computer system, the hackers impersonatedbank officials, sending instructions through the Swift system tomove nearly $1 billion to several bank accounts in severalcountries.

Most of the transfers were stopped or reversed because of simpleerrors made by the hackers, including a spelling error. Clues tothe missing millions have led from computers in Bangladesh to acolorful cast of characters including a bank manager and casinooperators in the Philippines and the head of a non-profitfoundation in Sri Lanka.

Swift, which stands for Society for Worldwide InterbankFinancial Telecommunication, is a cooperative that is a vitalcomponent in global interbank transfers. It has said that itssystems weren't compromised but that messages were sent through itssystem by attackers who appeared to have “good knowledge of thebank systems and their security procedures.”

Bloomberg News