Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime

Report: DOJ Sees Bangladesh Heist Tie to North Korea

Security Experts Have Been Suggesting the Same Thing for Months
Report: DOJ Sees Bangladesh Heist Tie to North Korea

The U.S. Justice Department is preparing to charge multiple "Chinese middlemen" with helping to orchestrate the February 2016 theft of $81 million from the central bank of Bangladesh, the Wall Street Journal reports. The alleged middlemen have ties to the government of North Korea, but officials with knowledge of the investigation say those connections might be tough to prove in court, the newspaper reports.

Thus, the U.S. government appears to have evidence - and likely, classified intelligence - that ties the Democratic People's Republic of Korea to the Bangladesh Bank heist.

The crime was perpetrated via malware installed on the bank's computers, which allowed attackers to inject fraudulent money-moving requests into the SWIFT interbank messaging network. Those messages instructed the Federal Reserve Bank of New York to move money out of Bangladesh Bank's accounts and into five accounts held at Rizal Commercial Banking Corp. in the Philippines. Investigators have recovered all but $81 million, which remains missing and appears to have been laundered via casinos in the Philippines.

The potential connection between the Bangladesh Bank heist and North Korea has long been suggested by information security experts.

Indeed, based on a review of malware and tactics used in the Bangladesh Bank heist, and their overwhelming similarity to attack tools and tactics used in the 2014 Sony Pictures Entertainment attack, Mikko Hypponen, chief research officer at Finnish security firm F-Secure, said at a London cybersecurity conference last year: "Now I'm not saying that North Korea did the SWIFT attack, but North Korea did the SWIFT attack."

Eric Chien, an engineer with security firm Symantec, tells the Wall Street Journal: "The whole security community has said that the attack tools and techniques used in Sony are the same ones used in Bangladesh."

Investigators at BAE Systems report that the attack code and techniques are also the same as ones used against an unnamed commercial bank in Vietnam. They note that the attack code doesn't appear to be for sale on the cybercrime underground, further bolstering the theory that it's controlled by a single group (see Inside Look at SWIFT-Related Bank Attacks).

Snowden Leaks Shed Light

The FBI attributed the Sony breach to North Korea, which many security experts initially questioned, asking to see the technical indicators used to arrive at that conclusion. But documents leaked by former National Security Agency contractor Edward Snowden showed that U.S. intelligence agencies, with the help of South Korea, had infiltrated systems used by suspected North Korean agents, and would thus have been able to watch attacks unfold (see How NSA Hacked North Korean Hackers).

Asked about a potential link between the Sony and Bangladesh Bank attacks, Richard Ledgett, NSA deputy director, said in a March 21 panel discussion at the Aspen Institute that he was "optimistic" that such a connection existed, the Wall Street Journal reports. "If that linkage is true, that means a nation-state is robbing banks," he said. "That is a big deal; it's different."

Why Rob a Bank?

Desperation is one potential answer to the question of why a nation-state would resort to robbing banks. If the Bangladesh Bank heist had gone completely according to plan, attackers would have walked away with $951 million. That's the equivalent of one-fortieth of impoverished North Korea's 2014 estimated gross domestic product, or one-quarter of the $4 billion stored in overseas bank accounts that South Korean intelligence agencies estimate leader Kim Jong-un inherited from his father, Kim Jong-il.

"Is this North Korea trying to fix their budget deficit by trying to steal from the rest of the world?" Hypponen asked last year. "Maybe it is."

Tough Times for North Korean Banks

In other North Korean banking news, last week, SWIFT said that it was disconnecting the last four remaining North Korea banks that were still connected to its money-transfer communications network.

"The DPRK banks remaining on the network are no longer compliant with SWIFT's membership criteria. As a result, these entities will no longer have access to the SWIFT financial messaging service," SWIFT said in a statement. "Given the increased ongoing international attention on the DPRK, SWIFT has informed the Belgian and EU authorities."

A spokesman for the European Commission told Reuters that despite increasing pressure on North Korea over the country's nuclear program and missile tests, the move to block the nation's banks "is a commercial matter for SWIFT," adding that European officials "do not interfere in the business decisions of any such company."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.