How Lazarus used SWIFT to steal $81 million from the Bank of Bangladesh.
Denis Morozov
Writing a "Canadian Game Industry Fundraising" Book | PM at Shred Capital
?Who is the Lazarus Group? Most of the sources agree that Lazarus (or Guardians of Peace) is a North Korean hacker group that focuses on advanced persistent threat attacks. Originally it was created with the purpose of disrupting the governments of South Korea and USA with DDoS attacks (2009 Operation Troy, 2013 Ten Days of Rain) but later branched into malware. Microsoft states that Lazarus is responsible for the WannaCry Ransomware and it is rumored their hackers are so dedicated that they sleep 6 hours every night.
The successful heist at the Bank of Bangladesh was a predictable consequence of the rapid development of cybercrime in North Korea. FireEye attributes bank focused attacks to another hacker group called APT38, but due to the fact that all of those groups are government-sponsored and most likely collaborate, it is fair to keep the Lazarus label. North Korea has the following achievements in the bank attacks that are publicly known:
- 2015 - TPBank heist.
- January 2016 - Many concurrent bank compromises.
- February 2016 - Heist at Bangladesh.
- 2016 - ATP attacks on International Banks and watering hole attacks on the Media.
- 2017 - ATM cash-out scheme in International Bank of Taiwan.
- 2018 - Bancomext heist in Mexico and Banco de Chile heist in Chile.
How was the bank attack committed? According to Kaspersky, the attack on the Bank of Bangladesh involved the theft of a binary of the SWIFT system software, which the attackers then disassembled and analyzed. They then added a tiny, one-bit patch that prevented a key integrity check in the software from completing. They then reintroduced the patched software to the system and, once inside the compromised bank, the attackers had the ability to modify and delete SWIFT messages, which helped hide their tracks.
The hackers made some crucial mistakes during the attack that consequently allowed to backtrack the operation to the North Korean infrastructure. One of the infected machines for a short time connected to an IP address in North Korea and some log files weren't removed from the servers. The biggest failure of the attack was the malfunctioning printer. Every time a transaction is done with SWIFT, all of the files are automatically printed, so the employees can come in the morning and check the overnight transactions. However, after the day of the attack, the printer didn't print any documents. When the software was restarted, it printed out all of the fake transactions that happened overnight that revealed the operation.
What happened to the money? When bank employees tried to reverse the transactions, it was already too late. Even though Bangladesh managed to get Pan Asia Banking to cancel the $20 million transaction, the $81 million that went to Rizal Bank was fully withdrawn and washed through the casinos in the Philippines.