In 2016, a mysterious organization stole $951 million from the central bank of Bangladesh. How did hackers, who prepared a plan that shattered Hollywood movies, reveal the weaknesses of the global financial world? Which country did the researchers studying cyber attacks encounter? What happened 7 years ago? Behind the scenes of the unforgettable theft…
Bangladesh Central Bank duty chief Zubair Ben Huda did not know that he would face the biggest theft attempt in history when he entered the 30-storey headquarters building in Dhaka at 8.45 in the morning on Friday, February 5, 2016.
Taking the elevator to the ninth floor, Ben Hüda entered the “transaction room” of the Accounting and Budget Department, where only a few people were allowed to enter, when he suddenly got confused when the printer on which the messages showing Swift transactions were printed broke down.
While the duty supervisor who controlled the device, which had previously experienced minor malfunctions, was trying to find out the source of the problem, international Swift instructions could not be displayed. On the contrary, the technical team could not be reached because it was a public holiday in Bangladesh.
‘THIS KIND OF DISRUPTIONS WERE CONSTANTLY HAPPENING’
Since digitalization steps were not taken at the Central Bank of Bangladesh, this printer was vital as administrative staff sent messages and filed printouts of large money transfer instructions over standard phone lines and other channels.
Although efforts were made to fix the device, no results were obtained and transfers could not be displayed due to the public holiday. Speaking to the authorities, Ben Huda tried to clarify the situation by saying, “Such minor disruptions were constantly happening.” However, the situation was not getting better as he thought.
No one had even thought that this incident on February 5 could be related to the attack of hackers. Unidentified hackers infiltrated the bank’s system and launched a never-before-seen cyber attack. They had a single goal, to transfer billions of dollars that the Central Bank kept under control to other accounts through various account movements.
Here is the behind-the-scenes of the movie-like robbery that astounded the world…
THEY USED ONLINE CASINOS TO TRANSFER MONEY
The magnitude of the robbery began to emerge a day later. Bangladeshi officials who managed to get the printer working received three messages from the Federal Reserve Bank of New York. A Fed employee wrote to Bangladesh asking for an explanation about 46 payment orders received in the last 24 hours.
The Fed has never before received a request to transfer such large amounts of money from the bank. An instruction was given for the transfer of money worth approximately 1 billion dollars.
“There must be a mistake,” Ben Huda thought. The Federal Reserve rarely sent more than two or three payment instructions to the Fed in a day, even during business hours.
Bangladeshi authorities began examining the files to find out more information. Which account did the money go to? The statements they were able to find were corrupted and unreadable. Realizing that he had made a serious mistake, Ben Huda panicked and was unsure where to turn.
Ben Hüda called the organization’s office in Brussels and sent an e-mail to the Swift tracking unit manager. He tried to reach the Fed in New York by phone, but the bank was closed for the weekend.
Answering the questions in the investigation opened after the incident, the Central Bank duty supervisor said that he sent e-mails and faxes to stop all payment transactions. Even though no one realized it yet, they were facing the most daring bank robbery ever seen.
The hackers used charities, online casinos, fake bank accounts and a wide network of collaborators to siphon off the money.
SECURITY Vulnerabilities COST MILLIONS OF DOLLARS
Adrian Nish, Intelligence Director of BAE Systems, an employee of a cyber security firm in England who investigated the attack on the Bangladesh Bank, stated that he found that it used “minimum level” security systems.
Even for skilled hackers, the most convenient way to infiltrate the Swift system is through other member banks. Over the past three years, hackers have been infiltrating the computer networks of banks in Ecuador, Taiwan, Vietnam, Poland, India and Russia, trying to send fake payment instructions through the Swift network. Although various mechanisms were put in place against hackers exploiting security vulnerabilities, millions of dollars were lost during this period.
“The banking systems of developing countries do not have the security mechanisms that developed countries have,” said Patrick Neighorn of US cybersecurity firm FireEye. This creates an opening in the system. “The majority of transactions cannot be managed centrally and the technological infrastructure that will enable this has not yet been implemented.”
But who were these pirates? Which countries was this operation carried out through? Authorities who followed the digital traces were horrified by what they encountered.
THEY STOLE $1 BILLION THROUGH 70 FAKE PAYMENT INSTRUCTIONS
Investigations revealed that hackers infiltrated the global Swift system and, after hiding for months, chose the country with the most primitive banking system. And when the day of action came, starting Thursday afternoon New York time, 70 fraudulent payment orders totaling $1 billion were issued to the Fed’s four bank accounts in the Philippines and one bank account in Sri Lanka.
The timing was well thought out. Since the public holiday was on Friday and the branches were closed on the weekend, the pirates would have bought themselves a lot of time. Not only that, even though Ben Huda sent a stop payment order to the Central Bank of the Philippines, due to Chinese New Year, he could not stop the transfer.
It was only four days later that Bangladeshi officials requested official intervention to cancel the transaction. However, the Philippine Central Bank requested that complaints and cancellation requests be sent to them in writing via diplomatic mail.
But who or what organized such a planned robbery? Who had the expertise and courage to pull off such a heist? Weeks after the crime, Bangladeshi authorities assigned US cybersecurity firm FireEye to investigate.
FireEye signed a nondisclosure agreement with the bank, and although an agreement was reached to maintain absolute confidentiality, some of the bank’s findings were leaked to the public and other cybersecurity firms drew their own conclusions from publicly available evidence.
‘NO BANK IN THE WORLD IS SAFE’
Analysts began examining the Sony Pictures attacks in November 2014 and the “Dark Seoul” attacks in March 2013 to determine the method used by hackers. During the investigation, it was revealed that the same code used in the WannaCry ransomware attack in May 2017 was also used in the Central Bank robbery. In this attack, hackers paralyzed more than 200 thousand computers worldwide and demanded that the ransom be paid in Bitcoin to fix the system.
Experts thought that the Lazarus Group carried out this operation. Possible suspects had finally been identified.
In the investigations carried out by US intelligence IT experts, it was claimed that the North Korea-based cyber hacker team organized these attacks. Following harsh sanctions, the North Korean administration was thought to have carried out such operations to combat food shortages across the country and develop its arms industry.
FireEye wasn’t the only organization looking into the issue. National Security Agency Deputy Director Richard Ledgett claimed and added that they reviewed the findings of cyber security firms and that North Korea has created a new cyber attack group.
“If the emerging data is correct, it means that no bank around the world is safe. This is a very different issue from others and one that should be taken seriously.”
THE ROBBERY WAS REHEARSED ON SONY PICTURES
The Lazarus Group’s first significant attack on US soil took place in Hollywood. Los Angeles-based Sony Pictures Intertainment announced that it is preparing to make a new movie in 2013, starring Seth Rogen and James Franco and set in North Korea. The subject of the movie was the murder of North Korean President Kim Jong-un by CIA officers.
North Korea declared in harsh terms that it would take action against the USA if this movie was shot. Immediately afterwards, the hacker group calling themselves “Guardians of Peace” sent a threatening message to Sony Pictures in November 2014.
Wanting to prove that the threat was real, hackers sent images reminiscent of horror movies to the computers of company employees a few days later. Immediately afterwards, correspondence of company executives, salary information and information about films in project were disclosed on the internet.
The company’s entire IT infrastructure collapsed for about a week. The company was unable to operate because the computers were locked with viruses. So much so that employees could not enter the building because even their personnel cards could not be read.
Although Sony Pictures said that it would not bow to the pressures and attacks, the project was shelved after the threat that the next attacks would be physical. When IT experts examined the attacks against Sony Pictures, they realized that the attack was actually a rehearsal for a much more ambitious operation.
The 2016 Bangladesh Central Bank robbery was rehearsed on Sony Pictures.
A GIANT TEAM OF 1700 PEOPLE
Of course, according to most people, it was impossible for such an operation to take place in North Korean headquarters. The reason for this was that North Korea’s cyber technological infrastructure was too backward to allow an attack of this scale.
Investigations by the FBI raised an important question: This attack could have been organized by a shadowy group of cyber hackers operating in different parts of Asia with the support of the North Korean regime.
For this reason, the North Korean hacker group, which was impossible to track, was called the “Lazarus Group” in the cyber-security industry. The reason for this description, which refers to Lazarus of Bethany who was miraculously resurrected by Jesus Christ, was that the computer viruses produced by this group were so difficult to destroy.
Investigations by US intelligence have learned little about the group to date. But the most interesting thing among these is that the Lazarus Group does not consist of a narrow team.
Officials believe North Korea has a massive hacker network of about 1,700 hackers worldwide and 5,000 instructors, supervisors and other support staff.
THERE ARE MILITARY AND FINANCIAL DEPARTMENTS
Many operations aim to gather intelligence from South Korea. So much so that it is thought that hackers work as a department within themselves. While the attackers have a unit aimed at military targets and intelligence activities, they also have a department aimed at achieving financial gain.
North Korean hackers have become particularly adept at targeting weak links in the financial system. Their target is the banking systems in developing countries. Especially those in Southeast Asia…
Vitaly Kamluk of cybersecurity company Kaspersky Lab said they detected Korean language coding used in malware used by the Lazarus Group and that “short-term IP addresses” used by the group during a series of attacks in Europe and Central America in 2017 were linked to the Lazarus Group. He stated that it has definitely proven that the organization is a North Korea-based organization.
THE FIRST SUSPECT IDENTIFIED
In recent years, the FBI identified the person suspected of being a member of the Lazarus Group as Park Jin-hyok, also known as Pak Jin-hek and Park Kwang-jin.
The FBI found that Park Jin-hyok, after graduating from one of the country’s best universities, started working in the office of the North Korean company Chosun Expo in the Chinese port city of Dalian.
Cyber footprints determined that Jin-hyok was located in Dalian from 2002 to 2014, and that he carried out his internet activities from Pyonyang, the capital of North Korea, after that date. The FBI, pursuing Jin-hyok, obtained his CV from the Chosun Expo and obtained the suspect’s photograph.
The FBI believes that Jin-hyok, thought to be in his 30s, programmed games during the day and hacked at nights.
THEY ARE TRYING TO RECOVER THE STOLEN MONEY
Since the heist, Philippine authorities have managed to recover approximately one-fifth of Bangladesh Bank’s stolen money. Experts think that millions of dollars stolen were transferred through Macau, a former Portuguese colony. It is known that Macau has had an important financial corridor between North Korea and the outside world for many years.
Bangladesh Bank is working to reduce the loss as much as possible. So much so that Bangladeshi authorities announced that they would file a lawsuit against RCBC, one of the largest universal banks in the Philippines. The reason is that although Swift’s payment instructions were suspicious, he still ignored it and made the payments. Bangladesh Bank also opened the option of resorting to secret agreements to recover the money it lost.
Carolyn Maloney, Chairperson of the Oversight and Reform Committee of the House of Representatives in the United States, announced that they developed a new bill following the cyber attack in Bangladesh. Accordingly, the Fed has created a hotline available 24/7 to combat such emergencies.
Aiming to introduce an international transparency rule for casinos, the US House of Representatives has mandated that every bet over 100 thousand dollars be reported to the “Money Laundering and Prevention Council”.
The purpose of putting money in casino accounts is to prevent it from being traced. Once the money is converted into casino chips, played with, and then converted back into cash, it becomes almost impossible to trace.
THE ONLY DETAINED IN THE CASE
Going after the Lazarus Group, the FBI is trying to catch the cyber hackers one by one with the help of Kyung-jin Kim, the bureau chief in Korea. To date, a lawsuit has been filed against only one person who is thought to have a hand in the robbery.
A person named Maia Santos-Deguito, who was tried on multiple money laundering charges, was sentenced to 14 years in prison. Park Jin-hyok, another name found to be linked to the Lazarus Group, is thought to manage a group of North Korean computer programmers in Dalian, China.
Authorities investigating the case think that the money transferred to Macau was sent to Pyongyang via couriers. Therefore, digital tracking of money stops after a certain point.
Authorities state that an attack of this magnitude will not be the last and that there is an extremely high probability that hackers have entered the systems and “fallen asleep”. Filipino senator Sergio Osmena pointed out possible disasters in the future and said:
“We never find out who is really behind this. Moreover, it does not seem possible to determine what their real goals are.”