12/2/2018 Phishing Opened Door To Bangladesh Bank Heist | PYMNTS.

com

Anatomy Of A Bank Heist,

SWIFT-ly Done By Phishers
By PYMNTS
Posted on September 17, 2018

In 2016, $81 million disappeared from Bangladesh’s central

bank. It could have been a lot worse — hackers tried to get away
with $1 billion. U..S court filings this month may have revealed
whodunit — and how. The cyberattack made off with the bucks
via bits and bytes, using SWIFT to issue fraudulent instructions.

SHARE   TWEET   SHARE SHARE PRINT EMAIL  

Phishers caught a big one — any way it’s sliced, $81 million is a big haul. The fraudsters who
hacked their way into the Bangladesh central bank two years ago got there by getting into
software tied to the SWIFT financial platform.

The way they got there? By casting a line by email, of course, offering a cautionary tale for anyone
who sees a link they are quick to click.

The Background

https://www.pymnts.com/news/security-and-risk/2018/bangladesh-bank-heist-swift-phishing-scam-fraud-doj/ 1/4
12/2/2018 Phishing Opened Door To Bangladesh Bank Heist | PYMNTS.com

Earlier this month, the Department of Justice unveiled a criminal complaint that showed just how
hackers (allegedly) work on a global scale, and to the tune of hundreds of millions of dollars in ill-
gotten gains.

The particulars of the complaint: The Justice Department charged Park Jin Hyok of North Korea
for involvement in a slew of cyberattacks conducted globally. Park, said the complaint, was part of
a hacker group backed by the North Korean government (where operations were conducted in
part through Chosun Expo Joint Venture, a state-owned entity), and the charges unsealed by the
United States tied him to other attacks, including headline-grabbing 2017 WannaCry 2.0 global
ransomware attack and the 2014 attack on Sony Pictures Entertainment.

“The conspiracy targeted computers belonging to entertainment companies, financial institutions

[FIs], defense contractors and others for the purpose of causing damage, extracting information
and stealing money,” alleged the filing.

Per Nathan Shields, special agent with the FBI, the details of the conspiracy and the hack(s) come
from multiple sources, spanning activities such as analyzing compromised victim systems and
executing approximately 100 search warrants across 1,000 email and social media accounts.
There were also 85 formal requests for evidence sent to foreign countries, Shields testified in the
complaint.

Park is being charged by the U.S. government with one count of conspiracy to commit computer
fraud and abuse. That charge carries a maximum sentence of five years in prison. Additionally,
there is one count of conspiracy to commit wire fraud — a charge that could lead to a maximum
sentence of 20 years in prison.

The heists appear designed to get as much cash as possible. As The New York Times recapped,
the cash needs of North Korea are real, as several countries will not forge economic relationships
with the country.

Of interest to those who are observers and participants in the payments space, and as detailed in
the report: The theft of $81 million from the Bangladeshi central bank could have been a lot worse
— as much as $1 billion or more would have been pilfered if there had not been a spelling
error(more on that in a moment).

The Methods

Writ large, the attack and entré into the Bangladesh Bank two years ago took place by sending
phishing emails to employees of the bank and — upon snaring some unwitting victims — gaining
access to the bank’s network and enabling them to send messages via SWIFT.

This might seem an old-fashioned trick in this digital age, but efficient and effective nonetheless.

https://www.pymnts.com/news/security-and-risk/2018/bangladesh-bank-heist-swift-phishing-scam-fraud-doj/ 2/4
12/2/2018 Phishing Opened Door To Bangladesh Bank Heist | PYMNTS.com

“While some of the work referenced in Chosun Expo Account messages involved non-malicious
programming-for-hire, operational accounts connected to those Chosun Expo Accounts were used
for researching hacking techniques, reconnaissance of victims and, ultimately, sending spear-
phishing messages to victims” that included the Sony Pictures and Bangladesh hacks, said the
complaint. It added later, in description of methodology, Park and peers used North Korean IP
addresses to ply their trade.

The Bangladesh Bank Hack

The complaint, noting Park and Chosun Expo Joint Venture (though only Park was indicted), said
the attacks “targeted and then executed the fraudulent transfer of $81 million from Bangladesh
Bank, the central bank of Bangladesh, in February 2016 — the largest successful cybertheft from
a financial institution to date.”

Chosun also plied its trade from locations in China (where Park was based from 2011 to 2013),
according to the complaint. Chosun funneled money and manpower to the North Korean hacking
organizations by doing legitimate tech-focused work from China. The complaint alleged that
customers were aware the Chosun employees “were North Korean computer programmers
connected to the government.”

The Bangladesh theft could have come closer to $1 billion, but beyond the $81 million that had
been drained and before another $900 million could be taken, an alert official took note that
“foundation” was spelled “fandation” and the transaction was halted, per news reports at the time.

“Technical similarities” also connect the malware

used in attacks against SPE, Bangladesh Bank,
other FIs, defense contractors (among other
actual and intended victims) and the WannaCry
ransomware. Those technical similarities
spanned malware functionality, common
encryption keys and domains programmed into
the malware.

The complaint said that hackers — at around the

same time as attacks were being waged on
Sony — began attacking FIs, looking to steal
money. The attacks used some of the same
email accounts that had been used in efforts
against Sony and targeted the local networks of
those banks (where victims included Bangladesh
Bank, a bank in Vietnam, a bank in Africa and a bank in Southeast Asia), using the SWIFT system
to communicate payment instructions.
https://www.pymnts.com/news/security-and-risk/2018/bangladesh-bank-heist-swift-phishing-scam-fraud-doj/ 3/4
12/2/2018 Phishing Opened Door To Bangladesh Bank Heist | PYMNTS.com

Initial efforts stretching back to 2014 involved “reconnaissance” of the banks and spear-phishing
messages using Gmail accounts, where the hackers acted as individuals seeking job interviews
with emails containing links to malware. The hackers, noted the filing, “were successful in causing
recipients at Bangladesh Bank to download the payload from their spear-phishing emails.”

Upon success with the phishing, the hackers “moved through the bank’s network” to access
computers that victimized banks used to send and receive messages over SWIFT systems. With
the computer access, the filing said, the hackers were able to impersonate bank employees who
were authorized to create and transmit messages across the SWIFT system. Then came the
fraudulent SWIFT messages, done through remote access, where the hackers gained access to
the Bangladesh Bank’s computer terminals that interfaced with the SWIFT system. The messages
were designed to look like authentic SWIFT communications.

The bad guys were able to use malware that interfered with bank processes that typically create
document confirmation and use Oracle databases to retain records of messages sent via SWIFT,
“then used other malware to delete evidence of those concealing activities,” noted the filing.

“Each of those SWIFT messages directed the Federal Reserve Bank of New York to transfer funds
from Bangladesh Bank’s account, held in U.S. dollars there, to the specified accounts in the
Philippines (and Sri Lanka) via specific U.S. correspondent banks,” said the complaint.

Thus, the heist against Bangladesh Bank in February 2016 saw $81 million routed to accounts in
the Philippines, and $20 million routed to Sri Lanka — in the latter case, the recipient bank
stopped the transaction. That $81 million that did make it to the Philippines (and where the
accounts were not held at the aforementioned hacked bank in the Philippines), said the filing, was
laundered through several bank accounts and a money remittance firm, in addition to casino
junkets. Obviously, some forethought was at work here: The bank accounts that received the
plundered funds had been set up in May 2015, tied to fictitious names.

To date, only a limited amount (roughly $15 million as of the beginning of this year) of that $81
million has been recovered.

——————————–

https://www.pymnts.com/news/security-and-risk/2018/bangladesh-bank-heist-swift-phishing-scam-fraud-doj/ 4/4