DHAKA (Reuters) - Bangladesh’s central bank is unlikely to extend the contract of U.S. cyber security firm FireEye to investigate the electronic theft of $81 million of its money, sources at the bank said on Wednesday, citing high costs as one of the factors.
The move comes as law enforcement in Bangladesh and the United States have reported little progress in identifying the criminals more than four months after one of the biggest cyber heists to date.
FireEye’s Mandiant forensics division was hired by Bangladesh Bank weeks after the cyber heist in early February. It said in an interim report that hackers took control of the bank’s network, stole credentials for sending messages on the SWIFT transactions system and used “sophisticated” malicious software to attack the computers the bank uses to process and authorize transactions.
Mandiant has said it needs 570 hours of more work to complete its investigations, a director on the board of Bangladesh Bank told Reuters. The bank has already paid about $280,000 to the company at an hourly rate of $400, he and other officials said on condition of anonymity.
Another official familiar with the computer security systems at the bank said it did not want to extend Mandiant’s contract because board members were not sure what tangible results could come from further investigation.
FireEye said in a statement that it would seek to help with the investigation even after completing its assignment for Bangladesh Bank.
“We have uncovered and provided Bangladesh Bank and the global financial community extensive data about this unprecedented financial attack and how to prepare for the future, and will continue to support law enforcement and the industry past the close of our engagement,” the statement said.
The bank director said Bangladesh Bank planned to seek external help in the investigation, but only after drawing up new terms of reference on the basis of its own internal investigation, a police inquiry and a government-appointed probe.
Cost was a factor in the Mandiant decision, the director said.
“Its charges are so high,” the director said, adding a formal meeting of the board on Thursday was scheduled to formally end the contract.
FireEye said that the $400 per hour figure cited by the Bangladesh Bank officials was not a standard rate for its services.
“The pricing and duration of our investigative work is unique to every incident,” the statement said.
A third bank official said the initial purpose of hiring Mandiant had been achieved: identifying and addressing lapses in the bank’s computer security.
At Thursday’s board meeting, terms for a possible new contract for an external investigator will be finalised, the bank director said. It wasn’t clear if FireEye would be invited to bid.
Additional reporting by Ruma Paul; Editing by Raju Gopalakrishnan