In Bangladesh Heist, Following the Money Through Cyber Twists: Nation Vs. Nation?

Source: Admiral Stavridis, Innovation Project 2017

“Follow the money,” the shadowy figure known as Deep Throat whispered to a pair of intrepid D.C.-based reporters during the dark days of Watergate more than 40 years ago.

The maxim has stayed the same in the ensuing decades, but the technology has changed. Following the money, and the people behind making the money move, has become a lot harder. The web has a lot of shadows, the shadows hide a lot of bad actors, and sometimes those actors contain multitudes. And the money is only a byproduct of malice or intent from those actors.

This has been the case with the ever-evolving story behind the $81 million heist that siphoned funds from Bangladesh via the Federal Reserve Bank in New York last year. The amount taken is huge, to be sure. Some of money has been returned, to the tune of about $15 million, after having been traced through a laundering operation that wound its way through the Philippines via casinos and some enterprises. Now there are new developments in the case, where it was revealed this week that North Korea may have some fingerprints among the hands that touched the money, if only virtually.

Stealing money for the sake of getting rich with the taps of a few keystrokes is one thing — an actor, or band of actors, chasing vulnerabilities in technology to make off with millions. That’s likely the first image that comes to mind when we think of high-tech bank robberies.

But what happens when the prime mover behind the theft is an actual nation? Acting not against individuals, but another nation? In a bit of saber rattling that has less to do with money than with exposing weakness and dominance on a brave new front of cyberwar?

Attendees at Innovation Project (IP) 2017 got a glimpse of this country-to-country combat scenario when Admiral James Stavridis took the stage and noted that international defense is increasingly shifting to theaters where bits and bytes are the weapons of choice.

And in one slide particularly centered on this case, the admiral noted that pressure is coming to bear on the Philippines to fix “loopholes in its financial regime.” Stavridis’ talk, delivered a full week before the latest news hit the wires implicating (or implicating the implication of) North Korea in the money-laundering scheme, had been billed as an examination of what a cyberwar “Pearl Harbor” might mean for the U.S. and beyond. The landscape is dynamic and demands, among other measures, a cybersecurity defense force, the Admiral told IP 2017 attendees.

It’s not just about stealing identities and credit card numbers; now, the financial system and the conduits that move money themselves can be used to commit crimes, as the lifting of funds from Bangladesh in the U.S. shows. The Philippines itself has been debating the extent to which bank secrecy laws should be scaled back to reveal terrorism funding, drug cartel activity and even fund flows among casino operators (where, it should be noted, some of the money wound up). There’s some debate as of Thursday (March 23) as to whether Chinese middlemen helped funnel the money to those outlets after having passed through the Rizal Commercial Banking Corp. (Stavridis and others have noted that casinos are not in fact governed by anti-money laundering laws in the Philippines.)

Looking at the technological aspects of the crime, this was no mere hack. The money made its way to the Philippines after infiltrators used international bank access codes tied to the SWIFT system, and not by “breaking” into the Fed’s bank itself.

This may call into doubt the security of SWIFT’s messaging itself, but it also brings forth a perhaps even more troubling picture: companies and enterprises and indeed, entire swaths of financial systems, hobbled by the collective might of an actual nation as foe.