How did the hackers pull off a billion dollar hack ?
Natarajan Karri
Award winning Cybersecurity Professional I Keynote Speaker I Specialist in IT Security Governance & Cyber Security Consulting
The Incident
Dhaka, Bangladesh., Feb 7, 2016
At 8:45 in the morning on Friday, Feb. 7, 2016, Zubair Bin Huda, a director at Bangladesh’s Central Bank (BCB), entered the 30-storey, concrete-and-glass headquarters in Dhaka. Bin Huda, slim and soft-spoken, with a thin black mustache and beard, rode an elevator to the ninth floor and eventually walked into the back office of the Accounts and Budgeting Department’s “dealing room,” the most restricted area of the building, accessible to only a handful of employees.
As the Director of Bangladesh Central Bank got off the elevator on the ninth floor and headed to the back office of the accounts and budgeting department, his small staff was concentrated and discussing in the corner to deal a problem, one that had been plaguing the office for the last few days. The printer was not working. Except, this was not a regular printer, and this was not a regular bank. It was causing a real disruption. The automated printer, which was hooked up to the bank’s software, with SWIFT access, was supposed to work round the clock 24/7 printing out the bank’s transaction reports in real time. Due to this technical glitch, however, the printer tray remained empty. Much of the day was spent trying to fix the issue, and after a great deal of effort, there was success. They were able to restart the printer. So, the backlog of transaction reports started rolling out, one by one. Now, it soon became apparent that something was not quite right. There were more statements than expected. When they took a closer look, they found 35 suspicious payment orders for what were ridiculously large sums of money. Having supposedly been transferred from Bangladesh Bank’s own bank account to other accounts in other countries. Certainly, no one from their bank had authorized it and a SWIFT security system in place was unbreachable. As the Director sifted through suspicious transfer requests, the true scale of the situation started dawning on him. The transfers totaled to $951 million (US Dollars), an absurd amount, a significant chunk of the nation’s national reserves. Where were they going? Who was responsible? Panic ensued as the workers scrambled to stop the payments. The ill-timed printer malfunction from the earlier had caused an unfortunate delay in their response. It seemed Bangladesh had just lost $951 million dollars… But How did this happen??
The Background
The incident happened in February 2016, but what led to this moment actually started nine months earlier. Philippines, May 2015, over 3,000 kilometres away, a group of men enter the Jupiter Street branch of RCBC Bank, just outside of Manila and opened four bank accounts with just $500 inside. The men then left, never to return with their accounts left seemingly abandoned.
Bangladesh, the country was becoming one of the fastest growing economies in the world. Their Central Bank sat in the financial district of the capital, Dhaka, a bustling city with almost 20 million people. But despite all this rapid growth, it was a nation that could ill afford to lose one billion dollars of taxpayers money. Like many other national banks, Bangladesh Central Bank, maintains an account with the Federal Reserve Bank of New York to deposit, maintain, and transfer foreign currency reserve of Bangladesh. The foreign currency reserve of Bangladesh, a growing economy, often reaches multiple billions of US dollars. As of September 2020, Bangladesh had a foreign currency reserve of US$39 billion.
Fast forward to Jan 2016, a month before the incident, an employee at the Bangladesh Bank was checking his email at work, when he receives an email with a resume attached, highlighting an individual looking for opportunities to work in the bank. The employee opened the attachment and reviewed the resume. Now, nothing seemed out of the ordinary, he thought nothing of it, but he went home that night not realizing he had just set in motion events that would soon shock the nations banking system. He had inadvertently clicked on an infected email, one that immediately began installing a malicious program in the central bank’s computer system. This malware would allow intruders to enter the network and gain access to the inner workings of the Bangladesh Bank. Hiding in plain sight, these intruders could now spy on workers and study the bank’s operational procedures. They did that, and it was now a matter of time. A month later, as the bank was shutting down the weekend, which in a Muslim majority countries like Bangladesh tends to be on Friday and Saturday, instead of Saturday and Sunday.?
The Attack (D-Day)
On beautiful Thursday evening in February 2016, the intruders once again entered the system, but it was for the last time, because this was what they had prepared for. Now, they were in the system, but manipulating international money transfers was a whole another animal. SWIFT, the global payment network enabling financial transactions to be sent in a secure and reliable way, using military grade security designed to be unbreachable. SWIFT does not facilitate the transfer of actual funds, but it rather sends the trusted payment orders between accounts, which the banks then act on. SWIFT is the standard in international banking, and this is partly why bank hackers usually focus on stealing the login credentials of individual bank account holders, rather than focusing on the banks themselves. But it was not the target for this group, because their target was the institution. Using the bank’s legitimate SWIFT credentials that they collected from the malware, they were able to take control of the SWIFT terminals, as if they were legitimate bank employees representing the bank’s transactions. Yes, SWIFT itself is safe and secure, but the banks using them first needed to be responsible for their individual cyber security, on their end. If the security happened to be lacking as in the case with many developing nations, SWIFT could be used against them. 35 phony requests, totaling $951 million was sent via SWIFT to the Federal Reserve Bank of New York. Why New York? Because the Bangladesh Bank owns an account there with billions of dollars on deposit meant for international settlements. The details of the requests sent from Bangladesh were to transfer the funds from New York to various accounts set up across Asia. They were done. In an out in just a few hours.
New York
Next day, Friday, New York, city, one of the world’s biggest financial centres. The Federal Reserve Bank of New York was busy processing Bangladesh’s payment orders, or the supposed payment orders. The Fed, renowned for its security, initially had no cause to stop the transfers, because SWIFT instructions are legitimate, and they are trusted the bank’s transfers. They were oblivious to the deception and began processing their requests.
Bangladesh
Sunday morning, the Bangladesh bank employees, back from the weekend were now trying to fix the damn printer problem. The automated printer connected to the SWIFT network had not been working the last days. And the usual printouts of the real time transfer confirmations were backlogged. Of course, this was the most unfortunate time for technical glitch, except it was not really a technical glitch. The Bangladesh Central Bank employees finally got the printer working, and they were sorting through the payment requests. The staff reviewed the 35 payment orders and tried sending a stop payment order to the New York Fed, but it was a Sunday, and there was minimum staff there to respond. By the time, New York staff would return on Monday, it would have surely been too late. Little did the Bangladesh Bank staff know that they some luck was on their side, because it turned out the automated system in New York flagged 30 of the transactions for manual review. By luck, one of the words in the SWIFT order (RCBC Bank, Jupiter Street, Manila, Philippines) happen to match the name of a shipping company (Jupiter Shipping Company) that had been backlisted for evading US sanctions against Iran…. Pure coincidence. And this was to prove devastating for the hackers as $870 million worth of transfers were now blocked. When staff took a closer look, they noticed several red flags. The unusually high number of payment instructions, the large transfers to private entities/ individuals in Asia rather than other financial institutions and the ludicrously large total. At this point, they had to seek clarification from Bangladesh authorities, and after getting word of their stop payment order, the transfers were shut down. Was it over??
Yes, 30 of the transactions, worth $870 million, would never be seen by the hackers, but there were still five transactions left. The remaining $101 million, which the U.S Feds automated system failed to pick on, which was still a lot of money had gotten through. Where did the five end up?
One payment worth $20 million was sent to Pan Asia Bank in Colombo, Sri Lanka, except an observant employee of the Pan Asia Bank noticed it was a huge amount to be sent to an entity in Sri Lanka. Pan Asia Bank sent it back to New York for further verification. Upon verification, there were red flags, and the payment was shut down.
Then there were four payments, worth $81 million. It gets tricky because not only there were four transfers sent to the same country, but it was also sent to same bank, and to the same branch. The Jupiter Street Branch of the RCBC Bank, in Manila. The four accounts with $500 and that had laid dormant for 9 months, saw a sudden cash infusion. These sudden bursts should have triggered an alert from RCBC but for reasons unknown, it slid under the radar. The accounts were later found to be under fictitious identities. From there, the money was quickly wired and withdrawn and laundered through casinos, where the money transfers were converted to hard untraceable cash. The Bangladesh Bank did try to stop the transfers in Manila, but this was such a coordinated and planned heist that timing was not on their side. The stop order was not received by RCBC Bank on the expected Monday, because Monday was Chinese New Year, a non-working holiday in the Philippines. Every step of the way, there were delays that benefitted the hackers. And this was by design, a remarkably well-timed attack.
By then, it was too late. Two men were found to be responsible for setting up the fake RCBC accounts in the Philippines. They turned out to be just the middlemen. But it was still a crucial part of the operations, and investigators hoped questioning them would lead to the true culprits. Unfortunately, before the authorities could apprehend them, they left the country - boarding flights to Macau, a special administrative region of China, where it was then impossible to track them. The hackers heisted $81 million, not quite the original sum, but still enough by some metrics to be considered as the single biggest bank heist in the history.
领英推荐
Investigation
Why did the perpetrators immediately travel to Macau ?? Macau is the financial point of contact for North Korea with the rest of the world. Now despite the attackers’ best efforts at removing evidence from the bank’s systems, cybersecurity experts were still able to analyze the malware. What they found were similarities in the techniques and tools used between the Bangladesh Bank heist, and many other cyber attacks on financial institutions around the world. Which means this one particular group had very likely been responsible for a series of global attacks. This group was dubbed Lazarus. And there was more, experts dug deeper, combing through server logs of recent attacks, they found something even more unexpected. An IP address connecting Lazarus to a particular nation state, North Korea. The logs had indicated that the attack servers they had used had been accessed at least once from a North Korean IP address. There was also Korean language found embedded in the computer code. It is important to note that it is possible that North Korea was framed, with the attackers deliberately leaving behind purportedly solid evidence in order to mislead investigators. But according to the majority of cybersecurity experts, it is almost certain North Korea was behind the attack. And it was not just an attack on financial institutions, they were also revealed to be responsible for many cyber terrorism and cyber espionage campaigns against the South Korean government and various South Korean infrastructure (including the Sony Pictures hack in 2014 – one of the biggest corporate breaches in history.). Will be covered in my next article.
The international implications of this attack for cybersecurity is profound. The investigations into the BCB attack are still ongoing and, no doubt, more revelations will emerge. All the while, cyber-attacks will continue to grow in scale and severity as the world becomes more and more connected. The cyber thieves were skilled, but their real success was in exploiting vulnerabilities in the organizations they targeted – vulnerabilities which may have been invisible beforehand.
By looking at what happened, identifying the key weak points – in understanding vulnerabilities, in maintaining security procedures, in training employees, and in testing processes – companies can work to mitigate similar weaknesses in their own organizations.
The Bangladesh Central Bank (BCB) attack was not the first cyber attack to lead to serious losses, nor will it be the last. Only by approaching every such event with fresh eyes will organizations learn to respond to – or prevent – these threats.
?
??-- Natarajan Karri
?
?
?
?
References
?
?