Investigation confirms hacking

A forensic audit has found that an alleged wire transfer fraud at Sri Lanka Cricket (SLC) was the result of “business email compromise” (BEC) by hackers who attempted to siphon funds into an offshore account by infiltrating the official email accounts of SLC employees.Piyal Dissanayake, SLC Head of Finance (HoF), was sent on compulsory leave in September 2018 pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 187,000 due for South Africa’s tour of Sri Lanka to an account in Banamex Bank, Mexico.
He also allegedly told Sony Pictures to remit a further US$ 5.5mn (the broadcast payment for the England tour of Sri Lanka) to an account in the Hang Sang Bank in Hong Kong in the name of an entity called Fanya Silu Co Ltd. This was to be credited automatically to the Banamex Bank in Mexico, by way of an electronic wire transfer where money is sent to the final beneficiary’s bank account via an intermediary bank.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case. Ernst & Young (EY) was enlisted to carry out a comprehensive audit of SLC’s broadcast earnings.
The CID has made little headway. However, the Sunday Times first reported in October 2018 that SLC was likely to have been the target of hackers using a Hong Kong-based shell company to perpetrate an international wire transfer fraud in a textbook case of BEC.
In March—six months after being assigned the task of conducting a fact-based investigation on incoming proceeds related to media broadcasting rights—EY submitted its findings to SLC. It has determined that emails, particularly containing instructions to transmit money into an offshore account that did not belong to SLC, originated from a fake Internet Protocol (IP) address. This indicates that SLC’s email accounts were hacked.
“In the email, an invoice was attached with instructions to remit USD 187,084.75 to beneficiary’s account (6761603874) in BBVA Compass bank in USA,” the 112-page report states. “We noted in the trace report that the email had been sent from the HOF’s email account from IP address 41.190.3.93 (which we refer to as a fake IP address).”
The fake invoice “appears to have been modified using the ‘genuine’ invoice, using ‘ImageMagick’ a tool which enables modifying of pdf documents on 18 July 2018 but dated 17 July 2018” the report continues. The genuine invoice was dated 17 July 2018.
It states: “We observed a deleted email in the HOF’s email account. This had been sent on 03 September 2018 to Sandeep.Patil@setindia.com and copied to Shradha.Bhandarkar@setindia.com; Vijaykumar.Mb@setindia.com, Asha.Naik@setindia.com, Sunil.Kenia@setindia.com, ashley@srilankacricket.us. In the email an invoice was attached with instructions to remit US$ 187,084.75 to beneficiary’s account (002180700779057641) in Banamex bank, Mexico. We noted in the trace report that the email had been sent from the HOF’s email account from IP address 41.190.2.83 (which we refer to as a fake IP address).”
The EY auditors state that this “fake” invoice also appears to have been modified using the “genuine” invoice, using “zamzar”—a website which enables alteration of pdf documents—on 3 September 2018 and dated 3 September 2018. However, the date of the genuine invoice was dated 17 July 2018.
According to the report, instructions to remit US$ 5,564,404.50 to Hang Seng Bank, Hong Kong, were sent from HoF’s email account using a fake IP address. This fake invoice was created by modifying the “genuine” invoice, using “zamzar”. The fake invoice was dated 5 September 2018 while the genuine invoice was dated 4 September 2018.
A business email compromise is an exploit in which “the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers or partners of money. In some cases, an attacker simply creates an account with an email address that is similar to one on the corporate network”.
Mr Dissanayake consistently maintained that his email was hacked. The SLC’s IT division dismissed his claim saying it had strong controls (Office 365 login).
Last year, the Sunday Times dug into the Hong Kong business registry to gather more information about Fanya Silu Co Ltd. According to the Chinese language records (translated with assistance from investigative journalists in Hong Kong), the company was formed on September 27, 2017, by a 38-year-old Chinese national called Zhang Xiaoming. He was the only founder member and director and is from a small county in the Gansu Province. The name Zhang Xiaoming is widespread in China.
In September last year, Mr Zhang resigned and the company appointed Tamara Sanchez Baurdet as the new director. She holds a Spanish passport and the address she has provided the business registry is Avenida del Garraf, 12, 1A Vilafranca del Penedes, Barcelona. But it was she who handed over the information to the company registry in Hong Kong and the document lists her address there as Flat 2814 Block 8, Ming Kum Road, Tuen Mun, NT, which is public rental housing.
A further search of the business directory showed that Sanchez Baurdet is a director of no fewer than 300 companies registered in Hong Kong (and at least one in Poland. This is called Wing Lok Trading. Wing Lok is also a street in Hong Kong). All of them were formed in recent years and around the same period. Investigative journalists in Hong Kong said she could be a proxy or merely an avenue to register companies, earning an income from sitting as a director.
Another possibility is that Mr Zhang sold off the shell to Sanchez Baurdet, they said, adding that it was common business in Hong Kong to trade in such companies. The territory has thousands of shell companies, some of which are used to get money in and out of China.
Interestingly, Mr Zhang resigned from Fanya Silu Co one day before the payment authorisation letter was allegedly sent by Mr Dissanayake to Sony Pictures (it was dated September 4, 2018). This could have been to avoid liability in case the wire transfer came through. But while the business registry document says he resigned, it does not mean he is not still the beneficial owner.
The letter sent to Sony with instructions to transfer US$ 5,564,404.50 to the account of Fanya Silu Co in Hangseng Bank Hong Kong contains multiple grammatical and syntax errors. Meanwhile, several emails purportedly sent from Mr Dissanayake’s email address (hofinance@srilankacricket.lk) are copied to similarly named email addresses belonging to the SLC’s Chief Operating Officer Jerome Jayaratne and CEO Ashley de Silva. But instead of coo@srilankacricket.lk or ashley@srilankacricket.lk, the addresses are coo@srilankacricket.us and ashley@srilankacricket.us.
The ‘srilankacricket.us’ domain is registered to a user named Sunil Shahzad whose address is Office #26, Arfa Tower, Gulberg III in Lahore, Punjab, Pakistan. It was created in August this year.
The SLC case involves shell companies, at least two bank accounts and hard-to-trace individuals in several jurisdictions. It is also likely that other email accounts at SLC have been compromised. But the sporting body maintains that Mr Dissanayake is directly involved. This is because the emails pertaining to the transactions–including the questionable ones–were sent from his hofinace@srilankacricket.lk account and not a srilankacricket.us account, they claim. It was not possible to independently verify this.
The SLC acknowledged at the time that some emails originated from another IP address. But it claimed the CFO could have done it to “pretend to be hacked” by the use of a proxy site. The SLC also says a hacker cannot stage a “middleman attack” on a particular email address for months without it being noticed. It was not possible to independently verify the time period being referred to.