When we talk about a bank heist, most of us think of people actually robbing a bank or of a team tunneling into a vault, but today that isn't necessarily the only way to pull of a heist.
Back in 2016 a mysterious organization called the Lazarus Group launched a cyber attack against the central bank of Bangladesh, The Bangladesh Bank. In that attack the Lazarus group came close to stealing close to a billion dollars!
Who are behind the Lazarus group and how is it possible that they were able to do this?
Philippines, May 2015
Four men enter the Jupiter branch of the RCBC bank in Manila, the capital of the Philippines. Each of them opens a bank account with a $500 deposit, and after that the accounts lay dormant for months.
Dhaka, January 2016
An employee at the Bangladesh Bank checked his email at work, afterwards he goes home not suspecting a thing, but he has just set in motion events that would shake the financial world.
It turns out that the employee had inadvertently clicked on an infected email, one that immediately began installing malware in the bank's computer systems. This program allowed intruders to gain access to their network and the inner workings of the bank. These intruders were now spying on employees and studying the banks operations.
Thursday, February 7, 2016
A month later, the bank was about to close for the weekend, which in Muslim majority countries is typically on a Friday and Saturday. After the bank closed, the hackers prepared to make their move.
SWIFT, a military grade secure interbank communication system, is designed to facilitate payments between banks. SWIFT does not actually send the payment, but processes the payment orders between accounts, that other banks then act on. This system is regarded as safe and secure, but since the hackers were able to steal the bank's login information due to their lack of cybersecurity, they could now manipulate SWIFT on their end.
35 transfer requests are made by the hackers to the Federal Reserve Bank in New York, totaling $951 million! The details of this request asked the Federal Reserve bank to transfer the funds from New York to various accounts in Asia.
But why New York?
Well, The Bangladesh Bank has a foreign reserve account there with billions of Dollars for international settlements.
The next day, Friday, New York
The Federal Reserve bank in New York, begins processing the SWIFT orders from the Bangladesh Bank, with no reason to believe that anything might be wrong with these requests.
Sunday morning, Dhaka
The Bangladesh Bank employees, now back from their weekends are trying to fix a problem with one of their printers, but not just any printer. This printer is connected to the SWIFT network and is supposed to automatically print out all the transfer confirmations.
The bank staff thinks it's a glitch, but nothing could be further from the truth. The hackers had done this intentionally, with the hope that it would delay the bank in discovering that their funds had been stolen. The hackers had erased evidence from the swift network and then crashed the printer. This had bought them some extra time.
The bank fixes the printer and begins to go through all the backlogged transfer confirmations, and they begin to discover something very bad has happened. The staff begins to panic as they realize that almost a billion dollars in requests have been made!
They immediately send stop payment orders to the Federal Reserve bank in New York, but it's a Sunday, and there is no one there to respond. By the time the staff returns on Monday it would already be too late.
Monday morning, New York
But it wasn't all bad luck for the Bangladesh Bank, 30 out of the 35 requests were automatically flagged for review by the New York bank. It turns out one of words on the SWIFT order happened to match the name of an Iranian shipping company that had been black listed by the US government. This was a pure coincidence.
When staff reviewed the orders they began to notice several red flags. The large amount of transfers, the fact that they were sent to private entities instead of banks, and the high total of almost one billion dollars. They contacted the Bangladesh Bank for clarification, and after getting word of their stop payment orders, the New York bank cancels the transfers.
This was devastating for the hackers as $872 million worth of transfers had now been blocked, and the hack had now been discovered.
But it wasn't over yet, 5 of the 35 transfers still remained. The remaining $101 million had made it through without being detected!
One transfer worth $20 million ends up in a Sri Lankan bank, routed via Deutsche Bank, in the account of the Shalika Fandation, a non-profit NGO. Twenty million dollars was an unusually high amount for a small NGO, and an employee flagged the transaction and sent it back to the bank in Germany for verification.
Deutsche Bank also finds red flags, especially with what looks like a typo in the name of the NGO, fandation instead of foundation. Of course no surprise, it turns out that this NGO is completely fake, and they send the money back to the New York account.
And now there were four.
The remaining four worth $81 million end up in accounts of the RCBC bank in Manila, that I mentioned earlier. These transfers made to individuals should have definitely triggered an alert, but for some reason this doesn't happen. The money is quickly withdrawn and laundered through casinos, were it is exchanged for untraceable cash.
The Bangladesh Bank had tried to stop it, but once again timing was not on their side. The stop order was not received, because the bank was closed for Chinese New Year.. By now you've probably noticed the pattern, every step of the way there were delays that helped the hackers achieve their goals, and this was by design!
Tuesday, Manila, The Philippines
RCBC Bank staff returns to work, and find out about the fraudulent transfers, but by now it's too late and the money is long gone. Two Chinese men were later found that had created some of the fake accounts at the bank.
They were just middlemen, but the police hoped that by questioning them, they could learn more about the operation. But before the Bangladesh authorities were able to apprehend them, they left on a flight for Macau, a special administrative region of China, where it was now impossible to track them.
The hackers had now pulled of a heist that netted them $81 million, not exactly the one billion that hey had hoped for, but it is still the single biggest bank heist in history!
Cybersecurity analysts were now looking through the Bangladesh Bank's systems to see if the hackers had left any evidence on the computers. They were still able to analyze the malware that the hackers had used, and from this they were able to learn that this attack was very similar to other attacks on financial institutions around the world. Most likely this particular hacker group was responsible for all these attacks, including the one of the Bangladesh bank.
This group was known as Lazarus, a suspected North Korean hacker team.
As investigators continued their search they eventually found an IP from one of the hackers, that showed their location to be in North Korea! And later they found Korean language embedded in the malware code, backing up the idea that the totalitarian state might be behind this.
Could North Korea have been framed?
Sure, but there were other clues that hinted that this might be North Korea.
The money had been moved to Macau, which is known as North Korea's financial gateway to the outside world. From there it wouldn't have been any problem to wire the funds directly to North Korea.
Buy why would North Korea do such a thing?
Well, sanctions against the country have crippled their economy, and the North Korean regime is desperate for foreign funds to prop up their economy. It is also suspected that these funds might have been used for the development of nuclear weapons. This is certainly not the first time the country has been suspected of doing this.
If this were to be proven beyond a doubt one day, then it would be the first case of a state sponsored hack on a foreign bank!
And that makes me wonder, what else could North Korea be capable of?
Thanks for reading and I hope you enjoyed this story!