Anatomy Of A Bank Heist, SWIFT-ly Done By Phishers

In 2016, $81 million disappeared from Bangladesh’s central bank. It could have been a lot worse — hackers tried to get away with $1 billion. U..S court filings this month may have revealed whodunit — and how. The cyberattack made off with the bucks via bits and bytes, using SWIFT to issue fraudulent instructions.

Phishers caught a big one — any way it’s sliced, $81 million is a big haul. The fraudsters who hacked their way into the Bangladesh central bank two years ago got there by getting into software tied to the SWIFT financial platform.

The way they got there? By casting a line by email, of course, offering a cautionary tale for anyone who sees a link they are quick to click.

The Background

Earlier this month, the Department of Justice unveiled a criminal complaint that showed just how hackers (allegedly) work on a global scale, and to the tune of hundreds of millions of dollars in ill-gotten gains.

The particulars of the complaint: The Justice Department charged Park Jin Hyok of North Korea for involvement in a slew of cyberattacks conducted globally. Park, said the complaint, was part of a hacker group backed by the North Korean government (where operations were conducted in part through Chosun Expo Joint Venture, a state-owned entity), and the charges unsealed by the United States tied him to other attacks, including headline-grabbing 2017 WannaCry 2.0 global ransomware attack and the 2014 attack on Sony Pictures Entertainment.

“The conspiracy targeted computers belonging to entertainment companies, financial institutions [FIs], defense contractors and others for the purpose of causing damage, extracting information and stealing money,” alleged the filing.

Per Nathan Shields, special agent with the FBI, the details of the conspiracy and the hack(s) come from multiple sources, spanning activities such as analyzing compromised victim systems and executing approximately 100 search warrants across 1,000 email and social media accounts. There were also 85 formal requests for evidence sent to foreign countries, Shields testified in the complaint.

Park is being charged by the U.S. government with one count of conspiracy to commit computer fraud and abuse. That charge carries a maximum sentence of five years in prison. Additionally, there is one count of conspiracy to commit wire fraud — a charge that could lead to a maximum sentence of 20 years in prison.

The heists appear designed to get as much cash as possible. As The New York Times recapped, the cash needs of North Korea are real, as several countries will not forge economic relationships with the country.

Of interest to those who are observers and participants in the payments space, and as detailed in the report: The theft of $81 million from the Bangladeshi central bank could have been a lot worse — as much as $1 billion or more would have been pilfered if there had not been a spelling error (more on that in a moment).

The Methods

Writ large, the attack and entré into the Bangladesh Bank two years ago took place by sending phishing emails to employees of the bank and — upon snaring some unwitting victims — gaining access to the bank’s network and enabling them to send messages via SWIFT.

This might seem an old-fashioned trick in this digital age, but efficient and effective nonetheless.

“While some of the work referenced in Chosun Expo Account messages involved non-malicious programming-for-hire, operational accounts connected to those Chosun Expo Accounts were used for researching hacking techniques, reconnaissance of victims and, ultimately, sending spear-phishing messages to victims” that included the Sony Pictures and Bangladesh hacks, said the complaint. It added later, in description of methodology, Park and peers used North Korean IP addresses to ply their trade.

The Bangladesh Bank Hack

The complaint, noting Park and Chosun Expo Joint Venture (though only Park was indicted), said the attacks “targeted and then executed the fraudulent transfer of $81 million from Bangladesh Bank, the central bank of Bangladesh, in February 2016  the largest successful cybertheft from a financial institution to date.”

Chosun also plied its trade from locations in China (where Park was based from 2011 to 2013), according to the complaint. Chosun funneled money and manpower to the North Korean hacking organizations by doing legitimate tech-focused work from China. The complaint alleged that customers were aware the Chosun employees “were North Korean computer programmers connected to the government.”

The Bangladesh theft could have come closer to $1 billion, but beyond the $81 million that had been drained and before another $900 million could be taken, an alert official took note that “foundation” was spelled “fandation” and the transaction was halted, per news reports at the time.

“Technical similarities” also connect the malware used in attacks against SPE, Bangladesh Bank, other FIs, defense contractors (among other actual and intended victims) and the WannaCry ransomware. Those technical similarities spanned malware functionality, common encryption keys and domains programmed into the malware.

The complaint said that hackers — at around the same time as attacks were being waged on Sony  began attacking FIs, looking to steal money. The attacks used some of the same email accounts that had been used in efforts against Sony and targeted the local networks of those banks (where victims included Bangladesh Bank, a bank in Vietnam, a bank in Africa and a bank in Southeast Asia), using the SWIFT system to communicate payment instructions.

Initial efforts stretching back to 2014 involved “reconnaissance” of the banks and spear-phishing messages using Gmail accounts, where the hackers acted as individuals seeking job interviews with emails containing links to malware. The hackers, noted the filing, “were successful in causing recipients at Bangladesh Bank to download the payload from their spear-phishing emails.”

Upon success with the phishing, the hackers “moved through the bank’s network” to access computers that victimized banks used to send and receive messages over SWIFT systems. With the computer access, the filing said, the hackers were able to impersonate bank employees who were authorized to create and transmit messages across the SWIFT system. Then came the fraudulent SWIFT messages, done through remote access, where the hackers gained access to the Bangladesh Bank’s computer terminals that interfaced with the SWIFT system. The messages were designed to look like authentic SWIFT communications.

The bad guys were able to use malware that interfered with bank processes that typically create document confirmation and use Oracle databases to retain records of messages sent via SWIFT, “then used other malware to delete evidence of those concealing activities,” noted the filing.

“Each of those SWIFT messages directed the Federal Reserve Bank of New York to transfer funds from Bangladesh Bank’s account, held in U.S. dollars there, to the specified accounts in the Philippines (and Sri Lanka) via specific U.S. correspondent banks,” said the complaint.

Thus, the heist against Bangladesh Bank in February 2016 saw $81 million routed to accounts in the Philippines, and $20 million routed to Sri Lanka — in the latter case, the recipient bank stopped the transaction. That $81 million that did make it to the Philippines (and where the accounts were not held at the aforementioned hacked bank in the Philippines), said the filing, was laundered through several bank accounts and a money remittance firm, in addition to casino junkets. Obviously, some forethought was at work here: The bank accounts that received the plundered funds had been set up in May 2015, tied to fictitious names.

To date, only a limited amount (roughly $15 million as of the beginning of this year) of that $81 million has been recovered.