CTI Report: Lazarus/APT38 tradecraft against SWIFT Alliance Access and downstream laundering via Manila
1. Executive Summary
In early February 2016, attackers attributed to North Korea’s Lazarus Group compromised Bangladesh Bank’s SWIFT-connected environment and attempted to move $951m via fraudulent payment instructions, successfully diverting $81m to accounts in the Philippines. (Reuters)
Open-source technical reporting indicates the operation relied on bespoke malware that interacted with SWIFT Alliance Access artefacts and an associated database to suppress evidence, including manipulating local SWIFT message records and interfering with printing of confirmations, delaying detection and increasing the laundering window. (baesystemsai.blogspot.com)
The incident drove material policy and control changes across the ecosystem, including SWIFT’s Customer Security Programme (CSP) and mandatory customer security requirements, alongside Philippine anti-money laundering reforms targeting casinos and subsequent prosecutions linked to the laundering chain. (Swift)
2. Contextual Background
2.1 Threat description and affected systems
The intrusion targeted Bangladesh Bank’s SWIFT payment environment, specifically the bank-operated systems used to originate and process SWIFT messages via SWIFT Alliance Access. Public reporting and official filings describe the attackers issuing fraudulently authenticated SWIFT messages instructing the movement of funds from Bangladesh Bank’s account at the Federal Reserve Bank of New York (FRBNY). (Department of Justice)
A defining feature was the attackers’ focus on the customer-side control plane: local SWIFT message artefacts, local database records, and operational reconciliations, rather than compromise of SWIFT’s core network services. (Swift)
2.2 Threat actor attribution
Confirmed (High confidence): Lazarus Group (North Korea)
US Department of Justice filings relating to North Korean operators reference the Bangladesh Bank theft as part of a broader cyber campaign attributed to North Korea-linked actors commonly tracked as “Lazarus Group” in the private sector. (Department of Justice)
Likely (Moderate confidence): APT38 as the financially focused cluster within the North Korea nexus
The FireEye/Mandiant report APT38: Un-usual Suspects describes APT38 as a North Korea regime-backed group specialising in financially motivated operations against banks and SWIFT endpoints, and is widely used in industry reporting to describe the mission set aligned to bank theft. (services.google.com)
Unconfirmed reporting: Reuters cited a forensics report referring to “Group Zero” in connection with post-heist investigative work, but this label is not a consistent industry attribution and should be treated as reporting on a leaked investigative artefact rather than a definitive actor name. (Reuters)
2.3 Sector and geographic targeting
The campaign sits squarely in financial services, exploiting SWIFT-connected operational workflows (payments initiation, confirmations, reconciliation, and reporting). The operational path spanned Bangladesh (originating bank operations), New York (correspondent and settlement), and the Philippines (beneficiary accounts and laundering), with the laundering phase leveraging Manila’s remittance and casino ecosystem. (Reuters)
3. Technical Analysis
3.1 Initial access and dwell time
Per the incident narrative used for this report, initial access was obtained via a phishing email sent to multiple bank employees in January 2015, followed by approximately one year of internal reconnaissance and lateral movement to reach the SWIFT operating environment. (This report treats that timeline as authoritative as provided.)
Reuters and other public reporting align with the broader conclusion that the attackers gained control of credentials and systems used to access SWIFT-related tooling. (Reuters)
3.2 Fraudulent SWIFT payment instructions (outbound payment orders)
Reuters’ investigative reconstruction indicates the attackers began sending fraudulent payment orders via SWIFT on Thursday 4 February 2016, timed to maximise operational delay across Bangladesh’s weekend and US business hours. (Reuters)
SWIFT message type note (scope-limited by open sources):
Open reporting consistently describes “payment orders” and “fraudulent SWIFT messages”, but does not consistently publish the exact outbound MT message types used for the transfer instructions in this case. This report therefore avoids asserting specific outbound MT types without primary confirmation. (Reuters)
3.3 Manipulation of SWIFT confirmations and local message stores (inbound traffic, anti-forensics)
The clearest technical detail in public reporting relates to local tampering of SWIFT FIN confirmations and records within the customer environment.
3.3.1 Targeting MT900 debit confirmations
BAE Systems’ reverse engineering of malware linked to the heist documents explicit parsing of messages containing the string “FIN 900 Confirmation of Debit”, extraction of key values including the Field 20 transaction reference, and use of those values to identify and remove records. (baesystemsai.blogspot.com)
For context, MT900 is a SWIFT advice message used to notify the account owner of a debit entry. (IBM)
3.3.2 Subverting Alliance Access database controls (two-byte in-memory patching)
BAE describes malware that identifies when an Alliance Access Oracle-related module is loaded (referencing liboradb.dll) and applies a minimal in-memory modification (“two bytes”) to bypass an internal check, enabling subsequent database actions to proceed. (baesystemsai.blogspot.com)
3.3.3 Deleting message records in the Alliance Access database
BAE’s analysis details the malware’s workflow to obtain unique message identifiers and issue DELETE statements against message and text tables associated with the local SWIFT message store, executed via sqlplus with elevated database privileges. US DOJ filings also describe malware configured to access the SWIFT message-record database and delete messages tied to the fraudulent transactions as part of cover-up activity. (baesystemsai.blogspot.com)
3.3.4 Balance and reconciliation artefact manipulation
BAE additionally reports functionality to manipulate balance- and amount-related values by updating both numeric fields and message text blocks in local records, reducing the probability of detection during reconciliation. (baesystemsai.blogspot.com)
3.3.5 Printer-output interference
Operationally, the first anomaly observed internally was a printer failure on the morning of 5 February 2016, affecting printing of transfer records. BAE describes a mechanism that converts message content into printer-ready files and uses legitimate utilities to print “doctored” output, then overwrites intermediate artefacts to hinder recovery. (baesystemsai.blogspot.com)
3.4 Timing and operational sequencing
Reuters documents timing consistent with deliberate exploitation of time-zone gaps and weekends: transfers initiated late evening Bangladesh time on 4 February, Bangladesh weekend beginning on Friday, and the New York weekend delaying responsive coordination after discovery. (Reuters)
3.5 Laundering chain (Philippines)
Public reporting describes beneficiary accounts established in Manila at RCBC, movement through exchange/remittance mechanisms, and laundering through casinos to complicate tracing and recovery. (Reuters)
4. Impact Assessment
4.1 Severity and scope
- Attempted theft: $951m via 35 transfer instructions (per incident narrative and Reuters reporting). (Reuters)
- Confirmed diverted funds: $81m routed into the Philippines (per incident narrative and Reuters reporting). (Reuters)
- Operational impact: multi-day detection delay, executive fallout, and sustained reputational and trust impacts across correspondent banking and SWIFT-connected operations. (Reuters)
4.2 Victim profile
Primary victim: a central bank operating SWIFT Alliance Access-connected infrastructure to support international settlement. Broader risk profile: any institution operating SWIFT endpoints with inadequate network segmentation, privileged access control, integrity monitoring of message stores, or robust out-of-band reconciliation mechanisms. (Swift)
5. Indicators of Compromise (IOCs)
5.1 IOC table
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| File name | evtdiag.exe | Malware component described as interacting with local SWIFT message stores and database activity | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| File name | evtsys.exe | Referenced in DOJ filing as associated component involved in deletion behaviour | US DOJ criminal complaint (Park Jin Hyok) (Department of Justice) |
| File name | gpca.dat | Described as decrypted configuration used to identify malicious transactions and filters | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| Module | liboradb.dll | Oracle-related module referenced in BAE’s in-memory bypass description | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| Process / utility | sqlplus | Used to execute database statements (including deletes) against the SWIFT message store | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| File patterns | *.prc, *.fal | Message artefact files parsed by malware to locate targeted messages | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| Message string | FIN 900 Confirmation of Debit | String used to locate targeted confirmations (MT900 context) | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
| Message field marker | 20: Transaction | Used to extract transaction reference (Field 20) | BAE “Two Bytes to $951m” (baesystemsai.blogspot.com) |
Note: No reliable, source-backed hashes, IPs, or domains were introduced here because they are not consistently published in the primary technical sources cited above.
5.2 Detection guidance
Controls and telemetry should prioritise integrity and provenance of SWIFT endpoint operations:
Host and application monitoring (SWIFT endpoint servers):
- Alert on unexpected execution of
sqlplusand any database administration actions originating from application service accounts, especially attempts to delete SWIFT message records. (baesystemsai.blogspot.com) - Monitor for creation/modification/deletion of SWIFT Alliance Access message artefacts (
*.prc,*.fal) outside expected application workflows. (baesystemsai.blogspot.com) - Detect unusual process behaviour consistent with module tampering or in-memory patching of Oracle-related components (where EDR supports module integrity and memory protection). (baesystemsai.blogspot.com)
Oracle auditing (where applicable to Alliance Access deployments):
- Enable database auditing for DELETE operations against SWIFT message and text tables, with alerting on anomalous volume or timing.
Print and reconciliation pipeline controls:
- Treat printing as a security-relevant output channel: monitor the processes responsible for generating and sending SWIFT confirmations to printers, and cross-check printed output against an independent reconciliation source. (baesystemsai.blogspot.com)
Example triage queries (adapt to your logging schema):
Windows / Sysmon (conceptual)
- Process creation where Image ends with \sqlplus.exe AND CommandLine contains "sysdba"
- Process creation where ParentImage is a SWIFT Alliance Access component but spawns unusual utilities
- File delete events for *.prc or *.fal under Alliance Access message directories
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Immediately isolate SWIFT endpoint servers from the broader enterprise network (retain power where possible to preserve volatile evidence).
- Revoke and rotate credentials used for SWIFT operations, including any local, domain, database, and service-bureau authentication, and force re-enrolment of MFA where available. (Swift)
- Validate the integrity of Alliance Access application binaries, configuration, message stores, and database contents against known-good baselines. (baesystemsai.blogspot.com)
- Reconcile SWIFT message traffic using independent sources (counterparty statements, FRBNY/correspondent confirmations) rather than relying solely on local logs or printouts. (Reuters)
6.2 Forensic artefacts to preserve
- Full disk images of SWIFT endpoint systems, including Alliance Access directories containing message artefacts. (baesystemsai.blogspot.com)
- Database logs and audit trails (Oracle logs, listener logs, audit trails). (baesystemsai.blogspot.com)
- Print spooler logs and any application logs involved in confirmation printing. (baesystemsai.blogspot.com)
- Email gateway logs and mailboxes tied to the initial compromise vector (phishing), plus endpoint telemetry for lateral movement reconstruction.
6.3 Preventive lessons (operationally framed)
- Do not treat local SWIFT endpoint outputs (including print) as inherently trustworthy without independent reconciliation and integrity monitoring. (baesystemsai.blogspot.com)
7. Threat Intelligence Contextualisation
7.1 Related financially motivated North Korea operations
FireEye/Mandiant’s APT38 reporting characterises a broader pattern of bank-focused operations against financial institutions and SWIFT endpoints, supporting the assessment that Bangladesh Bank sits within a repeatable playbook targeting payment initiation and downstream laundering. (services.google.com)
Reuters also reported investigative linkages by forensics to other North Korea-attributed activity, contributing to the broader analytic context for Lazarus-linked financial operations. (Reuters)
7.2 MITRE ATT&CK mapping
The incident narrative provided includes a set of ATT&CK technique IDs that were common in 2016-era mappings. Some of those IDs have since been reorganised in ATT&CK; the table below links to current technique pages while retaining the legacy references where relevant. (Medium)
| Tactic | Technique ID | Technique Name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1566.001 | Spearphishing Attachment (legacy: T1193) | Phishing email used to obtain initial foothold (per incident narrative) |
| Collection | T1114 | Email Collection | Post-compromise email access/collection listed in incident mapping |
| Defence Evasion | T1055 | Process Injection | Used to tamper with processes and execute covert logic (listed in mapping) |
| Discovery | T1057 | Process Discovery | Reconnaissance of running processes to identify SWIFT-related components (listed in mapping) |
| Persistence | T1547.001 | Registry Run Keys / Startup Folder (legacy: T1060) | Persistence mechanism referenced in incident mapping |
| Command and Control | T1105 | Ingress Tool Transfer | Movement of tools into environment (listed in mapping) |
| Defence Evasion | T1027 | Obfuscated Files or Information | Obfuscation/configuration concealment (e.g., gpca.dat usage) (baesystemsai.blogspot.com) |
| Defence Evasion | T1036 | Masquerading | Malware and activity blending into legitimate SWIFT utilities/workflows (listed in mapping) |
| Collection | T1005 | Data from Local System | Collection of local artefacts (SWIFT message files, local records) (baesystemsai.blogspot.com) |
| Collection | T1560 | Archive Collected Data (legacy: T1022) | Legacy mapping includes “Data Encrypted”; ATT&CK crosswalk notes consolidation into archival techniques (Medium) |
8. Mitigation Recommendations
8.1 Hardening and monitoring priorities (SWIFT endpoints)
Align hardening to SWIFT’s CSP principles and mandatory controls framework:
- Strict segmentation of SWIFT endpoints from corporate networks, with minimal and monitored administrative pathways. (Swift)
- Privileged access management for OS and database accounts supporting Alliance Access, including strong separation of duties and elimination of shared credentials. (Swift)
- Application allow-listing on SWIFT endpoints to prevent unauthorised tooling execution (notably database clients and scripting utilities).
- Integrity monitoring for Alliance Access application directories and message stores, including detection for deletion/tampering patterns matching BAE-described behaviour. (baesystemsai.blogspot.com)
- Out-of-band verification for high-value transfers (independent reconciliation that cannot be altered by an attacker controlling the SWIFT endpoint). (Reuters)
8.2 Patch and security programme alignment
- Implement and evidence compliance with SWIFT’s mandatory customer security requirements and assurance framework, including annual attestation and control validation as required by SWIFT policy. (Swift)
- Operationalise rapid deployment of SWIFT security updates and vendor guidance for Alliance Access environments, as SWIFT and industry reporting highlighted software update and warning activity following the heist. (Reuters)
9. Historical Context & Related Control Failures
9.1 SWIFT ecosystem response (CSP and mandatory requirements)
Following 2016 fraud cases, SWIFT announced the Customer Security Programme to reinforce customer-environment controls and subsequently introduced mandatory customer security requirements with an assurance framework involving self-attestation against mandatory controls. (Swift)
9.2 Philippines AML response and enforcement
The laundering phase increased scrutiny on Philippine banking and casino controls. The Philippines enacted Republic Act No. 10927, designating casinos as covered persons under the Anti-Money Laundering Act, expanding AML obligations to a sector explicitly relevant to the laundering pathway described in this incident. (amlc.gov.ph)
Reuters also reported the conviction of a former RCBC branch manager on multiple counts of money laundering linked to the theft. (Reuters)
10. Future Outlook
Payment fraud targeting SWIFT endpoints remains structurally attractive to state-linked financially motivated operators because it combines (1) high-value transaction capability, (2) complex multi-jurisdictional recovery, and (3) an opportunity to attack the integrity of local evidence. The Bangladesh Bank case demonstrates that defenders must secure not just message origination, but also confirmation handling, local message storage, printing/reconciliation pipelines, and privileged database operations. (baesystemsai.blogspot.com)
As the industry continues migration towards richer payment formats and interoperability (including ISO 20022 ecosystems), adversaries are likely to retain the same operational goals: compromise endpoints, generate legitimate-looking instructions, and tamper with local records to delay detection. (This is an analytic assessment derived from the control failures and countermeasures documented in primary sources.) (Swift)
11. Further Reading
Primary technical analysis
Government and legal
- US DOJ criminal complaint: Park Jin Hyok (Department of Justice)
- US DOJ: 2021 indictment referencing Lazarus/APT38 naming (Department of Justice)
Investigative reporting
- Reuters Special Report: “How the New York Fed fumbled over the Bangladesh Bank cyber-heist” (Reuters)
- Reuters: SWIFT software compromise and warnings (Reuters)
- Reuters: conviction in Philippines laundering case (Reuters)
SWIFT security programme
- SWIFT: Customer Security Programme launch (Swift)
- SWIFT: mandatory customer security requirements and assurance framework (Swift)
Philippines AML reform
Film coverage