Pages

4 March 2020

How North Korean Hackers Rob Banks Around the World


THE BILLS ARE called supernotes. Their composition is three-quarters cotton and one-quarter linen paper, a challenging combination to produce. Tucked within each note are the requisite red and blue security fibers. The security stripe is exactly where it should be and, upon close inspection, so is the watermark. Ben Franklin’s apprehensive look is perfect, and betrays no indication that the currency, supposedly worth $100, is fake.

Most systems designed to catch forgeries fail to detect the supernotes. The massive counterfeiting effort that produced these bills appears to have lasted decades. Many observers tie the fake bills to North Korea, and some even hold former leader Kim Jong-Il personally responsible, citing a supposed order he gave in the 1970s, early in his rise to power. Fake hundreds, he reasoned, would simultaneously give the regime much-needed hard currency and undermine the integrity of the US economy. The self-serving fraud was also an attempt at destabilization.

At its peak, the counterfeiting effort apparently yielded at least $15 million per year for the North Korean government, according to the Congressional Research Service. The bills ended up all over the world, allegedly distributed by an aging Irish man and laundered through a small bank in Macau. The North Koreans are believed to have supplemented the forging program with other illicit efforts. These ranged from trafficking opiates and methamphetamines to selling knockoff Viagra and even smuggling parts of endangered animals in secure diplomatic pouches. All told, the Congressional Research Service estimates that the regime at one point netted more than $500 million per year from its criminal activities.


During the first decade of the 2000s, the US made great progress in thwarting North Korea’s illicit behavior, especially its counterfeiting operation. A law enforcement campaign stretching to 130 countries infiltrated the secret trafficking circles and turned up millions of dollars in bogus bills. In one dramatic scene, authorities staged a wedding off the coast of Atlantic City, New Jersey, to lure suspects and arrest them when they showed up. The US Treasury Department also deployed its expanded Patriot Act powers, levying financial sanctions on the suspect bank in Macau and freezing $25 million in assets.

The wide-reaching American operation seemed to work. By 2008, the prevalence of supernotes had declined dramatically. One FBI agent involved in the US effort offered an explanation to Vice: “If the supernotes have stopped showing up, I’d venture to say that North Korea quit counterfeiting them. Perhaps they’ve found something else that’s easier to counterfeit after they lost the distribution network for the supernote.” Under pressure from American investigators, and challenged by a 2013 redesign of the $100 bill, the North Koreans moved on to newer tricks for illicitly filling their coffers.

It should be no surprise that hacking would be one of these. As The New York Times has reported, North Korean leadership has taken care to identify promising young people and get them computer science training in China or even—undercover as diplomats to the United Nations—in the States. Once trained, the North Koreans often live abroad, frequently in China, as they carry out their cyber operations. This gives them better internet connectivity and more plausible deniability of North Korean government ties, while still keeping them out of the reach of US law enforcement.


These North Korean hackers have carried out a systematic effort to target financial institutions all over the world. Their methods are bold, though not always successful. In their most profitable operations, they have manipulated how major financial institutions connect to the international banking system. By duping components of this system into thinking their hackers are legitimate users, they have enabled the transfer of tens of millions of dollars into accounts they control. They have tampered with log files and bank transaction records, prompting a flurry of security alerts and upgrades in international financial institutions. Most publicly, and perhaps by accident, the hackers have disrupted hundreds of thousands of computers around the world in a ham-fisted effort to hold valuable data for ransom. Through their successes and failures, they learned to modify and combine their tricks, evolving their operations to be more effective.

Even with a mixed track record, these attempts at manipulating the global financial system have literally paid off. The bounties from North Korean hacking campaigns are huge; the United Nations estimated the total haul at $2 billion, a large sum for a country with a gross domestic product of only about $28 billion. As North Korea continues to develop nuclear weapons and intercontinental ballistic missiles, cyberoperations help fund the regime. The scale of these operations is tremendous, at least relative to their past illicit efforts. Hackers now turn a far larger profit than the supernotes ever could.

But, as with the supernotes, the potential value of financial manipulation for North Korea goes at least somewhat beyond profit-seeking. If successful, it would also at least somewhat undermine the integrity of worldwide markets by deleting transaction records and distorting financial truth. Such tactics are tempting for government agencies but carry enormous risk. In the run-up to the Iraq War, The New York Times reported that the US considered draining Saddam Hussein’s bank accounts, but decided against it, fearful of crossing a Rubicon of state-sponsored cyber fraud that would harm the American economy and global stability. In 2014, President Barack Obama’s NSA review commission argued that the US should pledge never to hack and manipulate financial records. To do so, it said, would have a tremendously negative impact on trust in the global economic system.

BANK ROBBERY IS a terrible idea. Not only is it illegal, but it also yields an awful return on investment. In the US, the average bank robbery nets around $4,000 in cash, and the average bank robber pulls off only three heists before getting caught. Prospects are a little better overseas, but not much. Strikingly bold capers, like the 2005 theft at Banco Central in Brazil that required months of secretive tunnel-digging, can fetch tens of millions of dollars, but the vast majority of significant attempts end in catastrophic failure.

North Korean operatives found a better way to rob banks. They did not have to break through reinforced concrete or tunnel under vaults to get at the money, and they had no need to use force or threats. Instead, they simply duped the bank’s computers into giving it away. To do this, they set their sights on a core system in international business called the Society for Worldwide Interbank Financial Telecommunication, or SWIFT. The SWIFT system has been around since the 1970s. Its 11,000 financial institutions in more than 200 countries process tens of millions of transactions per day. The daily transfers total trillions of dollars, more than the annual gross domestic product of most countries. Many financial institutions in the SWIFT system have special user accounts for custom SWIFT software to communicate their business to other banks all over the world. Analyses from the cybersecurity firms BAE Systems and Kaspersky, as well as reporting in Wired, provide evidence for how the North Koreans targeted these accounts.

The Central Bank of Bangladesh stores some of its money in the Federal Reserve Bank of New York, which the Central Bank uses for settling international transactions. On February 4, 2016, the Bangladeshi bank initiated about three dozen payments. Per the transfer requests sent over the SWIFT system, the bank wanted some of its New York money, totaling almost $1 billion, moved to a series of other accounts in Sri Lanka and the Philippines.

Around the same time and halfway across the world, a printer inside the Central Bank of Bangladesh stopped working. The printer was an ordinary HP LaserJet 400, located in a windowless, 12- by 8-foot room. The device had one very important job: Day and night, it automatically printed physical records of the bank’s SWIFT transactions. When employees arrived on the morning of February 5, they found nothing in the printer’s output tray. They tried to print manually, but found they could not; the computer terminal connected to the SWIFT network generated an error message saying it was missing a file. The employees were now blind to transactions taking place at their own bank. The silent printer was the dog that did not bark—a sign that something was deeply wrong, but not immediately recognized as such.

This was not an ordinary machine failure. Instead, it was the culmination of shrewd North Korean preparation and aggressiveness. The hackers’ clever move was to target not the SWIFT system itself, but the machine through which the Bangladeshis connected to it. The special accounts used by the Central Bank of Bangladesh to interact with the system had enormous power, including the capacity to create, approve, and submit new transactions. By focusing their espionage on the bank’s network and users, the hackers were eventually able to gain access to these accounts.

It took time to figure out how the Bangladeshis connected to the SWIFT system and to get access to their credentials. Yet even as the hackers were moving through the bank’s network and preparing their operation—a process that took months—the Central Bank of Bangladesh failed to detect them. In part, this was because the bank was not looking very hard. After the hack, according to Reuters, a police investigation identified several shoddy security practices, including cheap equipment and a lack of security software, which made it easier for hackers to reach sensitive computers.

Once the hackers gained access to the bank’s SWIFT accounts, they could initiate transactions just like any authorized user. To further avoid detection, they wrote special malicious code to bypass the internal antifraud checks in SWIFT software. Worse still, they manipulated transaction logs, making it harder to figure out where the bank’s money was going and casting doubt on the veracity of the logs upon which this, and every, high-volume financial institution depends. The North Korean strike against these logs was a dagger to the heart of the system. They sidelined the printer with additional malicious code, buying themselves time while the system processed their illicit transfer requests.

The hackers thus sent their payment requests to New York unbeknownst to anyone in Bangladesh. But employees at the New York Fed realized something was amiss. When they noticed the sudden batch of Bangladeshi transactions, they thought it was unusual that many of the receiving accounts were private entities, not other banks. They questioned dozens of the transfers and sent requests for clarification back.

It was not until the Bangladeshis managed to get their computer systems working again that they realized the severity of the situation. The newly repaired printer spit out the backlog of transaction records, including many that immediately looked suspicious. By the time the central bankers urgently reached out to their counterparts in New York, it was too late. The weekend had come, and the American workers had gone home; the North Korean hackers had either gotten very lucky with the timing of their operation or had planned it remarkably well. The Bangladeshi bankers had to sweat out the days until the Fed staff came back to work.

Monday brought mixed news. On the positive side was that vigilant New York Fed analysts had stopped most of the transactions, totaling more than $850 million. This included one $20 million transfer request with an especially odd intended recipient: the “Shalika Fandation” in Sri Lanka. It appears the hackers intended to write “Shalika Foundation,” though no nonprofit by that name, even properly spelled, seems to exist. To the extent that this typo helped alert analysts to the fraud, it must count as one of the most expensive in history, at least for the hackers.

The bad news was that four transactions had gone through. The transactions sent a total of $81 million to accounts at Rizal Bank in the Philippines. They were less fortunate with Rizal Bank, which had already placed the money in several accounts tied to casinos. Someone, acting as a so-called money mule, had made withdrawals from these accounts on February 5 and February 9—the latter even after the Bangladeshis had warned Rizal Bank of the fraud. (The bank did not respond to requests for comment.) Of the $81 million sent to the Rizal accounts, according to a lawsuit, only $68,356 remained. The rest was gone.

Investigators from the British firm BAE Systems began tracking the bank hackers and uncovered several important clues that identified the North Koreans as perpetrators. They linked some of the code used in the Bangladesh intrusion to earlier North Korean hacks, most notably the 2014 operation against Sony. The investigation reached a clear verdict: From a world away, and from the comfort of their homes and offices, North Korea’s hackers had manipulated transaction records, exploited the system of interbank trust, and pulled off one of the biggest bank heists in history.

AS REMARKABLE AS the Bangladesh operation was, it was just one part of what was eventually recognized as a worldwide campaign. A parallel target of that campaign was a Southeast Asian bank that has not been named in public. In this second operation, the hackers followed a series of fairly well-orchestrated steps. They appear to have initially compromised their target via the server that hosted the bank’s public-facing website.

In December 2015, they expanded their malicious presence from that server to a different server within the bank. This one ran the powerful SWIFT software that connected the bank to the global financial system. The next month, the hackers deployed additional tools to begin moving within the target network and positioning malicious code to interact with the SWIFT system. On January 29, 2016, the hackers tested some of these tools. They did so almost precisely at the same time that they performed similar activity in their Bangladesh operation.

On February 4, just as the hackers began initiating payment requests in Bangladesh, they also manipulated the Southeast Asian bank’s SWIFT software. However, unlike in the parallel Bangladesh campaign, they did not yet initiate any fraudulent transactions. Slightly more than three weeks after that, the hackers caused a halt in operations at the second bank. Little is known about the circumstances surrounding this disruption.

Even after they took the money from the Central Bank of Bangladesh, the hackers kept up their focus on their second target. In April, they deployed keylogging software to the bank’s SWIFT server, presumably to gain additional credentials to the most powerful user accounts. These credentials, the keys to the bank’s SWIFT kingdom, would be essential to stealing money.

But by now the world of international banking sensed danger, in part aided by BAE’s investigation. SWIFT released new security updates in May in response to the alarm surrounding the Bangladesh incident and worries about the integrity of the financial system. The hackers would have to circumvent these updates to carry out their mission. By July, they began testing new malicious code for that purpose. In August, they once again began deploying code against the bank’s SWIFT server, presumably with the goal of soon transferring funds.

It was here that, despite all their careful testing and deployment of malicious code, the North Koreans hit a fatal snag: The Southeast Asian bank was better prepared and better defended than the Bangladeshi one had been. In August 2016, more than seven months after the hackers had made their initial entry, the bank found the breach. They hired Kaspersky, the high-profile Russian cybersecurity company, to investigate. The hackers, realizing that investigators were in hot pursuit and acting quickly to shut down the operation against the bank, deleted a large number of files to cover their tracks, but missed some. This mistake allowed Kaspersky to discover that much of the malicious code overlapped with that used in the bank hacking incident in Bangladesh.

BAE Systems’ and Kaspersky’s investigations brought the contours of North Korea’s campaign into view. It had ambitions much larger than just the two banks. Notably, in January 2017, the North Koreans compromised a Polish financial regulator’s systems and caused it to serve malicious code to any visitors to its websites, many of which were financial institutions. The North Koreans preconfigured that malicious code to act against more than 100 institutions from all over the world, primarily banks and telecommunications companies. The list of targets included the World Bank, central banks from countries such as Brazil, Chile, and Mexico, and many other prominent financial firms.

Nor did the North Koreans limit themselves to seeking out traditional currencies. Their campaign included a series of efforts to steal increasingly valuable cryptocurrencies like bitcoin from unsuspecting users all over the world. They also targeted a significant number of bitcoin exchanges, including a major one in South Korea known as Youbit. In that case, the exchange lost 17 percent of its financial assets to North Korean hackers, though it refused to specify how much that amounted to in absolute terms. One estimate from Group-IB, a cybersecurity company, pegged North Korea’s profit from some of their little-noticed operations against cryptocurrency exchanges at more than $500 million. While it is impossible to confirm this estimate or the details of the hacks on cryptocurrency exchanges, the size of the reported loss emphasizes the degree to which the North Koreans have plundered smaller and more private financial institutions, almost entirely out of view.

The cybersecurity companies reached a consensus: The North Koreans had clearly reoriented some of their hacking tools and infrastructure from destructive capabilities to financially lucrative and destabilizing ones. The same country that had launched denial- of-service attacks against the US in 2009, wiped computers across major South Korean firms in 2013, and hit Sony in 2014 was now in the business of hacking financial institutions. The most isolated and sanctioned regime on the planet, as it continued to pour money into acquiring illicit nuclear weapons, was funding itself in part through hacking. It was yet another way in which statecraft and cyberoperations had intersected. Far more was to come.

THE NORTH KOREAN hackers had clearly mastered several key hacking tasks that once would have been far beyond them. They could get deep access to banks’ computer networks in countries all over the world by deploying malicious code, conducting extensive reconnaissance, and remaining largely undetected. They had also developed an exceptional understanding of the SWIFT system and how banks connected to it, updating their tactics and tools to keep pace with the urgent security upgrades SWIFT and financial institutions kept rolling out.

But they had a problem: In too many cases, they issued a fraudulent transaction without being able to actually get the pilfered funds. Banks had sometimes thwarted the theft operations in their final withdrawal stages. The North Koreans needed a better way to cash out.

In the summer of 2018, the hackers tried a new tactic. The operation began with the compromise of Cosmos Cooperative Bank in India sometime around June. Once inside Cosmos, they developed a thorough understanding of how the bank functioned and gained secret access to significant parts of its computing infrastructure. Throughout the summer of 2018, they seemed to be preparing for a new kind of operation. This time, they would use ATM cards as well as electronic funds transfers to get the money out.

The premise of an ATM cash-out is quite straightforward and predates the North Koreans’ operations: Hackers gain access to the credentials of a bank’s customer, and then a money mule shows up to an ATM and withdraws money from that account. With no bank teller to talk to or physical branch to enter, the chance of arrest is substantially lower. Previous ATM cash-outs by different criminal hackers had worked at a small scale, including against the National Bank of Blacksburg in Virginia. The challenge was getting the target’s card and PIN to dupe the ATM into disbursing the money.

But before the North Koreans could act, US intelligence agencies caught a whiff that something was amiss. While it seems the US government did not know specifically which financial institution the North Koreans had compromised, the FBI issued a private message to banks on August 10. In it, the bureau warned of an imminent ATM cash-out scheme due to a breach at small- to medium-size banks. The breach fit into a pattern of what investigators often called “unlimited operations” because of the potential for many withdrawals. The FBI urged banks to be vigilant and to upgrade their security practices.

It did not matter. On August 11, the North Koreans made their move. In a window that lasted only a little over two hours, money mules in 28 countries sprang into action. Operating with cloned ATM cards that worked just like real ones, they withdrew money from machines all over the world in amounts ranging from $100 to $2,500. Whereas previous North Korean attempts had failed because large bank transfers were hard to miss and easy to reverse, this effort was designed to be broad, flexible, and fast. The total take was around $11 million.

One question immediately surfaced: How did the North Koreans manage this? For each withdrawal, they would have had to trick Cosmos Bank’s authentication system into permitting the disbursal of money at the ATM. Even if they had some information for each customer’s account, it is exceptionally unlikely that they had managed to get the PINs of so many individuals. Without those numbers, every attempt at authenticating the withdrawal requests should have failed.

Saher Naumaan and other researchers at BAE Systems’ offered a theory that fits available evidence quite well. They surmised that the North Korean compromise of the Cosmos computer infrastructure might have been so thorough that the hackers were able to manipulate the fraudulent authentication requests themselves. As a result, when each withdrawal request made its way through the international banking system to Cosmos Bank, it was likely misdirected to a separate authentication system set up by the hackers. This system would approve the request and bypass any fraud-detection mechanisms Cosmos had in place. A senior police official in India later confirmed this supposition to the Times of India.

Once the cash-out was successful, the hackers also went back to Plan A: Two days later, they initiated three more transfers using the SWIFT system from Cosmos Bank to an obscure company in Hong Kong, netting around another $2 million. The firm, ALM Trading Limited, had been created and registered with the government just a few months before. Its nondescript name and apparent lack of web presence makes it exceptionally difficult to learn more about it or about the fate of the money transferred to it, though it seems likely that the North Koreans collected the cash.

Given that the Cosmos operation raised questions about authentication and trust in financial transactions, it shows how the North Koreans’ tactics of theft, ransom, and financial-record manipulation can have impacts that go beyond just the acquisition of funds for the regime. Future operations may try to exploit this potential for destabilization more directly, perhaps by flooding the SWIFT system with fraudulent transactions to cause still-greater doubts about its integrity.

There is no reason to think that the North Korean financial campaign will stop. For years, its operational hallmark has been code that continually evolves and improves. What the North Koreans lack in skill, at least when compared with their counterparts at the NSA, they partially make up for in aggressiveness and ambition. They seem mostly uninhibited by worries of blowback and appear to welcome the consequences of disrupting thousands of computers or modifying vitally important financial records. In gaining much-needed cash, they slowly reshape and advance their position geopolitically. They incur setbacks, to be sure, but over time their hackers have garnered vast sums for the regime while threatening the perceived integrity of global financial systems. The days of supernotes are gone, but North Korea has brought together fraud and destabilization once again.

No comments:

Post a Comment