Many will remember the attempt by cyber-hackers in February 2016 to drain all the money from an account held by the central bank of Bangladesh (the “Bangladesh Bank”) at the Federal Reserve Bank (FRB) in the USA. Hackers had managed to access Bangladesh Bank’s computers which host the interbank communication system, known as SWIFT, and request the US bank to transfer, through 35 separate bank orders, a total of $951 million into accounts set up primarily at a bank in the Philippines.
In the end, the hack was only partially successful with the FRB transferring $101 million from the account before it became suspicious — though this amount of course is far from being an inconsiderable sum of money and remains the largest successful cyber-theft from a financial institution to date.
Why report it now? A new BBC podcast investigating North Korean’s elite cyber-hacking group known as Lazerus, provides new details on how the hack into the Bangladesh Bank took place. And it is quite fascinating.
Episode 4 of the podcast focuses on the Bangladesh Bank hack and includes an interview with Eric Chen, a technical director at Broadcom Symantec, a leading cyber security firm, who was given access to the digital evidence in the Bangladesh Bank hack.
The Lazarus Heist – 4. Billion dollar hack – BBC Sounds
Catch up on your favourite BBC radio show from your favourite DJ right here, whenever you like. Listen without limits…
Chen explains that the hackers could not access the Government’s SWIFT computers directly as they were relatively well protected. So the hackers had to find a way to access the bank’s general computer network first.
“They were doing things like using Linked-in and Facebook to find employees of the bank that they could basically trick into opening an email, just random back office employees. …
In this particular case the kind of person they were looking for was someone who would be willing to hire a new candidate. In the end they had sent maybe a couple of dozen emails to a variety of Bangladesh Bank employees with a supposed resume. They made up a resume, a guy called Rasel Aslam. “
The email Aslam sent to Bangladesh Bank employees stated:
“I am extremely excited about the idea of becoming a part of your company and I am hoping that you will give me an opportunity to present my case and further detail in a personal interview. Here is my resume and cover letter. Thank you in advance for your time and consideration.”
Chen said that along with the email, there was a link to a zip file.
“And in that zip file it contained a document. But when you opened up that zip file and that document it actually contained [malware] that would run on these peoples’ machines. In the end, at least three Bangladesh Bank employees had attempted to open and download that malicious file.”
Moving through Bangladesh Bank
So the hackers were in the Central Bank’s computer system — but from here they needed to find a way to get to the SWIFT computers. Chen went on to say in the podcast:
“What they need to do it is to move from these computers to what is ultimately their target, the SWIFT terminals. They spend a better part of that year basically just jumping from one machine to another. So they have access to a machine, they basically dig into that machine for other credentials, other users, other usernames, other usernames’ passwords, and they then use those credentials to say, “What machines are connected to this machine”. And then they try those credentials and try to jump from one machine to another and then they repeat and replay that over and over again.”
This is how they moved from one computer to another within Bangladesh Bank to try and get as close to the SWIFT computers. And as they went along, the hackers tried to clean up the evidence of their intrusion, so although they might have had access to hundreds of computers in total, at any one time they only had access to one or two. After a year, they reached their target. Chen states:
“First time they got to actually the terminals was in January 2016. And once [they] got onto these SWIFT terminals, their goal was to make multiple international billion dollar transfers.”
The printer problem
But the hackers then faced two further problems. The first was that Bangladesh Bank recorded all transfers on the computer system — which could allow Bangladesh Bank officials to identify that these illegal transfers were taking place and allowing then to block them.
“To [delete the digital records] they needed to hijack the software. And while understanding how to do that would have been difficult and took them weeks — reverse engineering that software to figure it out — ultimately in the end they had to basically change [just] four characters.”
The second problem was that the software also printed out a hard copy of all the SWIFT transactions.
“The swift terminal software would actually send to the printer a hard copy print out of every transaction that occurred. So the attackers basically needed to bypass all the printed out copies of the transactions.”
So the hackers took the printer out of action:
“Every time the printer tried to send a printout to the printer, they would simply overwrite those print jobs, or those files which contained content to print with zeros so nothing would print, instead there was all these black paper in the printer.”
Once the printer was taken care of, the hackers were ready to steal the money. At 8pm on Thursday, 4th February 2016, the hackers got the SWIFT computers to send their first bank transfer request to the US bank. Over the next eight hours they sent a total of 35 transfer requests seeking a total of $951 million be sent primarily to a bank, RCBC, in the Philippines.
Bangladesh Bank officials had no idea that this was happening.
At 8:45 am on Friday, the next morning — nearly five hours after all the transfer requests had been sent — the central bank’s duty manager entered the room on the 8th floor where the SWIFT computers were based and noticed that the printer was not working — and that the printer tray was empty. He couldn’t fix it, tried the printer again a few hours later, went off to Friday prayers and decided that he would sort it out the following day. In Bangladesh, Friday is a holiday, so the bank only had very limited staff present.
But the next morning, Saturday, the printer was still not working, so the duty manager sought permission to find another way to reboot it. As the printer came back to life, it printed out both the details of the transfers that the hackers had made through the SWIFT computers along with the queries from officials at the US Federal Reserve Bank asking whether the Bangladesh Bank really intended to deplete all its fund from the account. The Bangladesh officials panicked and then phoned, faxed and emailed the FRB. But it was now Saturday — the weekend in the US — and there was no one to respond.
How the heist was de-railed
The hackers may well have got away with a billion dollars but for a total fluke.
The podcast reports that most of the bank transfers requested that the money be sent to the RCBC bank in Manilla, the capital city of the Philippines, which was located on “Jupiter Street”. It was the name of the street that saved Bangladesh — as “Jupiter” was the same name of a US sanctioned Iranian shipping vessel. This made officials suspicious, and after having cleared four transfer requests to RCBC bank totalling $81 million, the remaining transfer requests were flagged and blocked. (An additional $20 million sent to a Sri Lankan bank was stopped when a Deutsche Bank official noticed a misspelling in the name of the putative recipient. See this Reuters article)
Who did it?
Episode one of the BBC podcast begins with detailed descriptions of the hack of Sony Pictures in 2014 and the responsibility of North Korea’s hacking team, Lazarus. In the episode on Bangladesh, the podcast details how after the Bangladesh Bank heist the FBI investigated to see if there was a link between the two hacks.
The Sony film hackers had used emails, Twitter and Facebook in order to attack the film studio, and the FBI got search warrants to access these accounts used for hacking purposes — about 1,000 of them. This allowed the FBI to see the content of the messages that had been sent. Tony Lewis, Assistant US Attorney for the Central District of California at that time, helping FBI assemble a criminal case against the hackers, said:
“There were some accounts that were used to both target Sony Pictures and conduct reconnaissance and target Bangladesh Bank.
There were connections between accounts used for each of those things but there was also some accounts that themselves were used to target both of those victims.”
One example was the email address that sent the email job application to Bangladesh Bank. This was from firstname.lastname@example.org which was the same email address that had been used to hack into Sony. (Read more about this in the criminal complaint against Park Jin Hyok.)
There are another six episodes of the podcast — so there could well be more about the Bangladesh heist!