In February 2016, the world witnessed one of the most audacious cyber heists in history. An unknown attacker, later identified as the North Korean hacker group known as the Lazarus Group, infiltrated the Bangladesh Bank’s SWIFT payment system and attempted to steal $951m. They successfully diverted $81m to accounts in the Philippines, which remains unaccounted for.
The cybercriminals used sophisticated malware tailored to interact with the local SWIFT Alliance Access software running in the bank’s infrastructure. This allowed them to send forged payment instructions and cover their tracks, delaying the detection and response to the attack and providing more time for money laundering. The malware was configurable and could potentially be used for similar attacks in the future.
The first sign of trouble was a malfunctioning printer in the bank, which was supposed to print out records of the multi-million-dollar transfers flowing in and out of the bank. When the printer stopped working on the morning of February 5, 2016, the bank staff assumed it was a common technical glitch. However, this was the first indication that the bank was under attack.
The hackers had been lurking inside Bangladesh Bank’s computer systems for a year, having gained access through a phishing email sent to several bank employees in January 2015. Once inside, they began hopping from computer to computer, working their way towards the digital vaults and the billions of dollars they contained.
The heist was meticulously planned. The hackers exploited time differences between Bangladesh, New York, and the Philippines to ensure a clear five-day run to get the money away. The attack started around 20:00 Bangladesh time on Thursday, February 4. But in New York, it was Thursday morning, giving the Federal Reserve Bank plenty of time to unwittingly carry out the hackers’ wishes while Bangladesh was asleep.
The next day, Friday, was the start of the Bangladeshi weekend, which runs from Friday to Saturday. So the bank’s HQ in Dhaka was beginning two days off. And when the Bangladeshis began to uncover the theft on Saturday, it was already the weekend in New York. This careful timing delayed the discovery of the heist by almost three days.
The hackers also manipulated the printer software to prevent it from printing out records of the fraudulent transactions, further covering their tracks. At 20:36 on Thursday, February 4, 2016, they began making their transfers – 35 in all, totaling $951m, almost the entire contents of Bangladesh Bank’s New York Fed account.
The stolen funds were wired to accounts set up in Manila, the capital of the Philippines. The accounts had been set up months earlier at a branch of RCBC, one of the country’s largest banks. The money was transferred between accounts, sent to a currency exchange firm, swapped into local currency, and re-deposited at the bank. Some of it was withdrawn in cash.
The stolen money was then laundered through Manila’s glitzy casino scene. Once the stolen money had been converted into casino chips, gambled over the tables, and changed back into cash, it would be almost impossible for investigators to trace it.
The Bangladesh Bank heist was a wake-up call for the global banking industry, highlighting the vulnerability of the SWIFT system and the need for improved cybersecurity measures. The bank’s governor was asked to resign in the aftermath of the heist, and the incident led to increased scrutiny of the Philippines’ banking and casino industries.
The MITRE ATT&CK TTPs associated with this attack include:
- T1193: Spearphishing Attachment
- T1114: Email Collection
- T1055: Process Injection
- T1057: Process Discovery
- T1060: Registry Run Keys / Startup Folder
- T1105: Remote File Copy
- T1027: Obfuscated Files or Information
- T1036: Masquerading
- T1005: Data from Local System
- T1022: Data Encrypted
The Bangladesh Bank heist serves as a stark reminder of the potential impact of cybercrime and the importance of robust cybersecurity measures. It underscores the need for constant vigilance, regular system updates, employee training, and the implementation of advanced threat detection and response systems.
- Two Bytes to $951m
- Bangladesh Bank Heist: Lessons In Cyber Vulnerability
- Neighborhood Watch: Identifying Early Indicators of the Central Bank of Bangladesh Heist
- Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies
- International Banks Are in Trouble: Bangladeshi Bank Attacks
The event is also the focus of a new movie: