This week the BBC released an investigative report detailing how North Korean hackers planned a $ 1 billion raid on the National Bank of Bangladesh in 2016 and were almost entirely successful. The cyber attack, known as the Bangladesh bank robbery, showed how hackers navigated the global banking system and used administrative loopholes to carry out a well-planned attack to remit millions of dollars. It was one of the biggest cyber thieves in the world.
The bank robbery in Bangladesh: How the robbery came about
According to the BBC investigation, the attack occurred between February 4 and 7, 2016. The timing was carefully planned to take advantage of the time difference between Dhaka and New York City and the working hours in the two cities, including a weekend on different days fell on the day of the attack.
The hackers, believed by American investigative authorities to be linked to North Korea, used fraudulent orders through the SWIFT payment system to steal $ 951 million, almost all of the money in that account, from Bangladesh’s central bank account. The hackers used an account with the Federal Reserve Bank in New York and managed to steal $ 81 million that was transferred to accounts at Manila-based Rizal Commercial Banking Corporation.
So how did the hackers actually infiltrate the Bangladesh Bank’s systems?
The BBC reports point to an ordinary office printer that was located in a “highly secure room on the 10th floor of the bank’s main office in Dhaka” and allegedly not working. This printer was specifically used to print bank transaction records valued at millions of dollars. On February 5, 2016, bank employees discovered that the printer was not working but assumed it was a technical error and it happened quite often.
According to the BBC report, investigations later revealed that this defective printer was the first indication that the hackers had broken into Bangladesh Bank’s computer systems to steal $ 1 billion. “When the bank staff restarted the printer, they received very disturbing news. This resulted in urgent news from the Federal Reserve Bank in New York – the “Fed” – with which Bangladesh has a US dollar account. The Fed had apparently received instructions from the Bangladesh Bank to empty the entire account – nearly a billion dollars, “the BBC report said.
Bank officials immediately tried to contact the Federal Reserve Bank in New York for more information, but couldn’t get through. Because when the hackers started work on February 4th around 8:00 p.m. Bangladesh time, it was morning in New York City. The next day, February 5th, was Friday, the report said, the beginning of the weekend in Bangladesh when the Bangladesh Bank headquarters in Dhaka will officially close. When the hack was discovered in Dhaka, the weekend in New York City was already starting when the offices were closed.
The detailed planning of the hack became apparent when investigations revealed that the hackers had deliberately chosen that very week in February 2016 to carry out their hack. This weekend the Lunar New Year began in East and Southeast Asia as well. When the money was transferred to the banks in Manila on February 8th, it marked the beginning of a major national holiday there.
“By taking advantage of the time differences between Bangladesh, New York and the Philippines, the hackers had planned a clear five-day run to get the money away,” the BBC report explains.
The report also looked at how the hackers managed to access the printer in the secure room of the Bangladesh Bank. That happened almost a year before the actual hack, the report says. “They had a lot of time to plan all this, because it turned out that the Lazarus group had been lurking in the computer systems of the Bangladesh Bank for a year.”
“In January 2015, a harmless looking email was sent to several employees of the Bangladesh Bank. It came from a job seeker who called himself Rasel Ahlam. His polite request included an invitation to download his résumé and cover letter from a website. In reality, Rasel did not exist – he was just a code name used by the Lazarus group, according to FBI investigators, ”the report said.
“At least one person in the bank fell for the trick, downloaded the documents and contracted the viruses hidden in them. Once inside the bank’s systems, the Lazarus group began to secretly hop from computer to computer in order to work their way to the digital safes and the billions of dollars they contain. “
The actual emptying of the accounts did not occur until a year later, the report said, because the hackers were taking the next steps and planned to remove the money in such a way that it could no longer be accessed.
The BBC investigation tried to piece together the sequence of events after the money was sent to the banks in Manila and just before they were withdrawn. “The RCBC Bank branch in Manila that the hackers wanted to send $ 951 million to was on Jupiter Street. There are hundreds of banks in Manila that the hackers could have used, but they chose this one – and the decision cost them hundreds of millions of dollars, “the BBC investigation said.
“The transactions … were held up at the Fed because the address used on one of the orders contained the word ‘Jupiter’, which is also the name of a sanctioned Iranian ship.”
This resulted in an automatic verification of payment transfers that were suspended due to the sanctions imposed. But the BBC investigation explains that not all transfers were automatically stopped: “Five transactions worth $ 101 million have passed this hurdle.” The hackers would have had access to the entire $ 101 million, which was no small amount, even if it wasn’t originally planned.
According to the investigation, of the $ 101 million, “$ 20 million was transferred to a Sri Lankan charity called the Shalika Foundation, which the hackers’ accomplices set up as a conduit for the stolen money. But that transfer was also stopped because the hackers accidentally made a spelling mistake – they wrote Foundation as a foundation – when filling in the name of the Sri Lankan charity. This means that the hackers only managed to transfer $ 81 million.
Newsletter | Click here for the best explainer of the day in your inbox
Retrieval attempts by the Bangladesh Bank Bank
Even before the BBC investigation, investigative authorities had confirmed until 2019 that the money had been withdrawn from the Manila banks, after which it disappeared in the casino industry in the Philippines. The report looks at the complex money laundering process used by the hackers to break the traceability chain targeting Manila’s casinos.
“The idea of using casinos was to break the traceability chain. Once the stolen money was turned into casino chips, played across the tables, and turned back into cash, it was almost impossible for investigators to trace, ”the report said.
The Bangladesh Bank realized hours after the money was stolen that the massive robbery had occurred and began taking steps to get it back, a process that would be very challenging.
They managed to trace the money back to Manila’s casinos and get back $ 16 million from a man, the BBC report said. But the remaining $ 34 million was still quickly gone. Investigators found that much of the remaining money was transferred to Macau, another gambling hotspot, and from there to North Korea. Investigators found that most of the hackers involved in the cyber robbery and other similar actions that the US considers cybercrime were located in Chinese border towns near the Sino-North Korean border.
Get the money back
In 2018, the FBI filed a criminal complaint against Park Jin Hyok, a North Korean national, “for his involvement in a conspiracy to carry out multiple destructive cyberattacks around the world that resulted in massive damage to computer hardware and extensive data loss,” money and other resources, ”according to public documents released by the US Department of Justice.
The complaint accused Park of working for the North Korean government and of engaging in “malicious activities” including “creating the malware used in the 2017 global ransomware attack, WannaCry 2.0; the theft of $ 81 million from Bangladesh Bank in 2016; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or interventions in the entertainment, financial services, defense, technology and virtual currency industries, science and electricity. “
At the time, U.S. First Assistant Attorney Tracy Wilkison said that “The lawsuit accuses members of this North Korea-based conspiracy to be responsible for cyberattacks that have caused unprecedented economic damage and disruption to businesses in the United States and around the world “. . “
In 2019, Bangladesh filed a lawsuit in a U.S. court against Rizal Commercial Banking Corp (RCBC) over the Philippine bank’s alleged role in the largest cyber attack. The RCBC counterclaimed Bangladesh Bank, claiming its reputation had been subject to ongoing “malicious and public attack” by the bank and seeking at least $ 1.9 million in damages. The New York Federal Reserve promised to help Bangladesh get the money back, but the process is making little progress.
Days after the raid, Bangladesh’s then finance minister, AMA Muhith Atiur Rahman, called on the governor of the Bangladesh Bank, under whose supervision the raid took place, to resign. The cyber attack had embarrassed the government of Bangladesh.
Bangladesh and North Korea have bilateral relations, and North Korea has an embassy in Dhaka. Bangaldesh’s embassy in China represents the country in Beijing and Pyongyang.