How Hackers robbed a bank

You thought the best bank robbers use weapons, masks and fast vehicles? Then you are wrong! This article explains a story of a bank heist where keyboards were used as weapons.

What happened?

This story took place in February 2016. Between Thursday 4th and Friday 5th February 2016 unauthorized users have issued 35 SWIFT payment instructions from The Bangladesh Bank to the Federal Reserve Bank of New York. The total sum of the money was 951 million USD. The money’s destination were accounts in the Philippines, Sri Lanka and other parts of Asia. Because of the huge amount of money, the New York Bank send SWIFT messages for clarification to the Bangladesh Bank. But the Bangladesh Bank would not respond, as all of the workers were enjoying their weekend. The weekend in Bangladesh goes from Friday to Saturday, because it is a country with a majority of the population being Muslim.

One of the transactions was 20 million USD. It was send to Sri Lanka. The hackers have tried to send money to a NGO called “Shalika Foundation”. But they misspelled “foundation” with “fandation”. Furthermore the NGO “Shalika Foundation” is non-existent. Hence the routing bank, Deutsche Bank, has stopped the transaction and seeked clarification by the Bangladesh Bank.

The New York Bank also flagged 30 transactions for manual review. Because one of the words in the SWIFT transaction flagged an automated tool. It matched a name of a shipping company that has been blacklisted because of evading US sanctions against Iran. So luckily the transaction were blocked.

The last $81 million were send to Philippine. It was send to multiple accounts. The Bangladesh and the New York Bank tried to contact the Philippine bank, but they didn’t get any response. It was China’s New Year and the Philippine Bank employees didn’t work at that time. When the bank employees wanted to block the accounts, it was already to late. The money was withdrawn. The guys that withdrawed the money have laundered it in casinos and brought it to Macau in China. Which is a city used by North Korea for financial deals.

How did they get into the bank’s network?

The hackers have send resume themed phishing mails to the employees of the bank. At least three employees have downloaded the malicious attachment. The attachment then installed malware on their systems.

Who did it?

Based on the FBI’s investigations, the hack was performed by a North Korean state sponsored threat actor, called Lazarus Group. The Lazarus Group is known to attack financial institutions for financial gain. The FBI could also identify three individuals that were involved in the attack. These individuals are part of the North Korean military.

What can we learn?

North Korean APTs are the only state-sponsored threat actors, that do hacking for financial gain. It is believed that North Korea uses hacking to finance it’s military programs, as sanctions make it hard for them to earn money in other ways.

Also even very complex attacks like this, use simple attacks, like phishing, to gain initial access. You should definitely invest money on securing the human factor, by giving regular awareness training.

Sources

AON. (2019, 13. September). The Bangladesh Bank Heist: Lessons In Cyber Vulnerability. The One Brief. Abgerufen am 4. Dezember 2021, von https://theonebrief.com/the-bangladesh-bank-heist-lessons-in-cyber-vulnerability/

Carvajal, N. C., Morales, R. D. & Pago, A. C. (2020, 21. September). What went before: The Bangladesh Bank heist. Philippine Center for Investigative Journalism. Abgerufen am 4. Dezember 2021, von https://pcij.org/article/4291/what-went-before-the-bangladesh-bank-heist

Reuters. (2016, 11. März). Spelling mistake stops hackers stealing $1 billion in Bangladesh bank heist. The Independent. Abgerufen am 4. Dezember 2021, von https://www.independent.co.uk/news/world/asia/spelling-mistake-stops-hackers-stealing-1-billion-in-bangladesh-bank-heist-a6924971.html

Shevchenko, S. (2021, 4. Dezember). Two bytes to $951m. BAE Systems Threat Research Blog. Abgerufen am 4. Dezember 2021, von https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html

Shields, N. P. (2018, August). CRIMINAL COMPLAINT. UNITED STATES DISTRICT COURT. https://www.justice.gov/opa/press-release/file/1092091/download

Zetter, K. (2016, 17. Mai). That Insane, $81M Bangladesh Bank Heist? Here’s What We Know. Wired. Abgerufen am 4. Dezember 2021, von https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/